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Preface 

This 3+Open MS OS/2 LAN Manager Administrator Guide describes how to 
perform administrative tasks with the Microsoft® Operating System/2 LAN 
Manager. 

This introductory section provides some basic information about this guide and 
about the LAN Manager documentation set 



Before You Begin 

Before using this guide, you should feel comfortable using MS OS/2 and be able to 
create and work with files and directories. 

If you are not familiar with OS/2, refer to these manuals provided wtih your 
3+Open package: 

• 3+Open MS OS/2 LAN Manager User Guide. 

• 3+Open MS OS/2 LAN Manager User Reference. 

• 3+Open MS OS/2 LAN Manager Installation and Setup Guide. 
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System Requirements 

Before you can use 3+Open OS/2 LAN Manager, you'll need the following: 

• An 80286- or 80386-based personal computer with at least one hard disk and 2 
megabytes of memory that is running release 1.0 or later of MS or IBM OS/2. 

• A network adapter card properly configured and installed in the computer and 
physically connected to the local area network. (See the hardware 
documentation that comes with your network adapter card for installation). 

• Distribution disks containing the 3+Open LAN Manager software. 



• The following manuals in addition to the 3+Open MS OS/2 manuals: 



Manual 


Contents 


3+Open MS OS/2 LAN Manager 
Installation and Setup Guide 


Describes how to install LAN Manager 
software on servers and netstations, and how 
to set up network users and resources after 
installation. 


3+Open 

Network System Guide 


Describes how to configure your network for 
optimum performance and memory 
utilization. Also describes 3+ and 3+Open 
internetwork operation guidelines. 


3+Open MS OS/2 LAN Manager 
User Guide 


Describes how to use LAN Manager on a 
netstation. Includes tutorials and instructions 
on using shared resources. 


3+Open MS OS/2 LAN Manager 
User Reference 


Details the LAN Manager menu screens and 
syntax and options for netstation commands. 
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Manual 


Contents 


3+Open MS OS/2 LAN Manager 
Administrator Reference 


Details the LAN Manager menu screens and 
syntax and options for server commands. 


3+Open DOS LAN Manager 
User Guide 


Describes the command-oriented version of 
LAN Manager that runs on DOS LAN 
Manager netstations. Includes a complete 
command reference. 



Conventions Used in This Guide 

The following conventions are used throughout the guide. 



Keys 

The table below shows the symbols used to represent the keys on your keyboard. 



Spelling 


Key Represented 


[Esc] 

[Alt] 

[Ctrl] 

[Backspace] 
[Space bar] 
[FIHFjc] 

J or [Return] or 
[Enter] 


Escape 
Alternate 
Control 
Backspace 
Space bar 
Function keys 

Fl through Fjc 
Return or 

Enter key 
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Key Combinations 

If two or more keys are to be pressed simultaneously, the keys are linked with a + 
sign. For example, the following key combination resets a netstation: 

[Ctrl]+[Alt]+[Backspacel 



Notational Conventions 

Throughout this manual, the following conventions are used to distinguish elements 
of text: 



Text Element 


Indicates 


ALL CAPITAL LETTERS 


Command names and filenames. 


Bold 


New terms. 


Bold Courier typeface 


Input. 


Regular Courier typeface 


Screen text. 


[Brackets] 


Nonalphabetic key names such as [Enter] 
or command options. 


Italics 


Variable command option names. 


Plaintext: /delete 


Command options to be typed as is. 



Procedural Conventions 

Information you should enter is shown in boldface, computer-like type. Terms 
shown in italics should be replaced with specific information. For example: 

makedisk u : J 

means that you type the command MAKEDISK followed by a drive identifier and 
press [Return]. 
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How to Use This Guide 

This guide is divided into chapters and appendices. The following provides a quick 
overview of the topics covered in each part of this manual: 





v^UIllCIlla 


L,napter i 


Introducing LAN Manager network components and 
concepts. 


i^napier z 


oicuxing, siupping, pausing, ana continuing jl/\i>i 
Manager services. 


Chapter 3 


Managing shared resources. 


Chapter 4 


Sharing and controlling disk directories. 


Chapter 5 


Sharing and controlling spooled printers. 


Chapter 6 


Sharing and controlling communication devices. 


Chapter 7 


Setting up and using shared programs. 


Chapter 8 


Managing user-level security. 


Chapter 9 


Managing share-level security. 


Chapter 10 


Managing centralized log-on security. 


Chapter 11 


Managing overall network server administration. 


Chapter 12 


Monitoring and troubleshooting on the local area 
network. 


Appendix A: 


LAN Manager utilities 


Appendix B: 


Setting up and using the Console version of the 
LAN Manager screen 


Appendix C: 


Understanding the LAN Manager command flow 
diagrams. 


Glossary 


Glossary of 3+Open LAN Manager terms. 
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Finding Further Information 

The following manuals are included with 3+Open MS OS/2 LAN Manager: 

• 3+Open MS OS/2 LAN Manager Installation and Setup Guide, a short guide to 
installing 3+Open MS OS/2 LAN Manager. 

• 3+Open MS OS/2 LAN Manager User Guide, a procedural guide to using LAN 
Manager on a netstation. This guide provides users with tutorials and 
instructions for LAN Manager tasks. 

• 3+Open Network System Guide, a reference guide for experienced (3Wizard) 
technical network users on tuning networks for optimum performance and 
memory usage. 

• 3+Open MS OS/2 LAN Manager User Reference, a reference for users working 
with LAN Manager commands and the LAN Manager Screen on a netstation. 
This reference describes each command and dialog box available to the local 
area network user. 

• 3+Open MS OS/2 LAN Manager Administrator Guide, a procedural guide for 
the administrator using LAN Manager on a server. This guide describes how to 
perform administrative tasks on a local area network. 

• 3+Open MS OS/2 LAN Manager Administrator Reference, a reference for the 
administrator working with LAN Manager commands and the LAN Manager 
Screen on a server. It describes how to use additional commands and dialog 
boxes available to administrators. 

• 3+Open MS-DOS® LAN Manager User Guide, a guide to the command- 
oriented LAN Manager that runs on DOS netstations. This manual includes a 
complete reference to the commands available on MS-DOS netstations. 
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Chapter 1: Introduction 

As administrator, you will oversee the creation, operation, and maintenance of the 
local area network. In this chapter, you will learn the following: 

• What a local area network is and how it works. 

• What 3+Open LAN Manager does. 

• What local area network resources are and how to use them. 

• How users and administrators use local area networks. 

• About LAN Manager menus. 



Local Area Networks 

When you work with a personal computer, you use certain resources to get things 
done. A resource can be a disk drive, a printer, a modem, or any other physical 
device you have connected to your computer. Software programs, files, and 
directories are also resources that you use on a personal computer. 
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A local area network (LAN) joins computers so that they can share resources. This 
means you can use the resources of other computers as if they belonged to your 
computer. For example, if you need to print one of your files but do not have a 
printer in your office, you can send the file to another computer on the local area 
network that does have a printer. 

When a computer makes one of its resources available to the other computers on the 
LAN, it shares the resource. The other computers can then use the resource. For 
example, when you send a file to a printer that is attached to another computer, you 
are using that printer; and the computer is sharing it. Resources that can be shared 
are network resources. 



3+Open 

3+Open is a family of sophisticated local area network products based on the multi- 
tasking OS/2™. Its open architecture enables you to connect a wide variety of 
standard OS/2, DOS™, and Macintosh computers into a single network. It uses the 
power of OS/2 while at the same maintaining compatibility with DOS computers 
and applications. Netstations using either OS/2 or DOS (including dual-boot OS/2) 
can run 3+Open software. 

3+Open supports the major network protocols, Xerox Network Systems (XNS™) 
and IBM® NetBEUI/DLC™. It also allows you to use multiple network adapters 
and protocols in a single computer. 

3+Open provides a common user interface across its product line. This interface 
conforms to the IBM Systems Application Architecture™ (SAA) user interface 
standards. The use of a single interface for all products in the 3+Open family 
makes it easier for you to learn and use each of the products. 

At the core of 3+Open is the 3+Open LAN Manager. This is described in the next 
section. 
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3+Open LAN Manager 

3+Open LAN Manager is the network system software that forms the basis of 
3+Open. It is an enhanced version of Microsoft's OS/2 LAN Manager™. 

3+Open LAN Manager has the following features: 

• Log-on scripts and user profiles that give the user uniform access to the 
network, regardless of what netstation the user logs on from. 

• A window-oriented network interface to help assign network resources such as 
disk directories, files, communication ports, and printers. 

• A comprehensive security system that allows the network administrator to 
regulate who gets access to what resources and provides facilities for 
monitoring and making a record of resource use. 

• Error logging and compilation of network usage statistics. 

• The Postscript™ Despooler and a facility for administrating it. 

• DOS Manager™ and memory-saving applications for DOS computers. 

• 3+Open Installation and Setup Program. This program installs the LAN 
Manager, sets tuning parameters to standard values, and configures printer 
services. It also creates server and netstation start-up disks. 



OS/2 for Servers 

3+Open is shipped with a single copy of OS/2. You should always install the 
3Com version on the server, if included with your 3+Open package. If your server 
hardware does not have its own OS/2, you should be able to install this one on it. 
For installation instructions, refer to the 3+Open LAN Manager Installation and 
Setup Guide shipped with the 3+Open LAN Manager software package. 
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3+Open Network Components 

3+Open supports a variety of network configurations. Servers can be IBM AT- 
compatible computers, IBM PS/2, or 3Com 3Servers. They must use OS/2. 
Netstations can be IBM AT-compatible and IBM PC-compatible computers as well 
as 3Com 3Stations. Netstations can be OS/2- or DOS-based. 



How LAN Manager Works 

Some of the computers on a local area network are designated to manage the data 
and equipment that constitute the local area network. These computers are called 
servers. 

Servers make resources available to users of the local area network. Resources can 
be disk drives, directories, printers, modems, scanners, and other equipment. The 
process of making a resource available to users is called sharing that resource. 
Sharing is the core of your work as an administrator — you decide what resources 
are shared and in what manner. 

Once you share a resource, users can access that resource as though it were 
physically attached to their own computer, even though the actual hard disk, 
printer, or modem may be across the hall or across the building. 

Netstations are the computers on the local area network that use the resources you 
share from a server. Netstations are where users use word processing, 
spreadsheet, database, and other applications to accomplish their work. An MS 
OS/2 computer can simultaneously be a server and a netstation. This is called a 
concurrent server. 
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Figure 1-1 is an example of a 3+Open LAN Manager network. 

Netstation 



Printer j 










Netstation 



Netstation 



Netstation 



Figure 1-1. 3+0pen Network Example 
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LAN Manager Services 

The programs that let servers share resources and let netstations use those shared 
resources are services. Services represent the major functions of LAN Manager. In 
addition to the Server and Workstation services, LAN Manager offers the following 
services listed in Table 1-1. 



Table 1-1. LAN Manager Services 



Service 


Function 


Messenger 


A netstation that lets users exchange messages on the local 
area network. 


Netpopup 


A netstation that displays messages on a computer's screen 
at the moment they are received. 


Spooler 


A Server service that manages printing on shared printers. 


Netrun 


A Server service that lets a user run a program remotely in a 
server's memory and interact with that program as if it were 
running on the user's own netstation. 


Alerter 


A Server service that sends messages to administrators and 
users about significant events occurring on the server. 


Netlogon 


A Server service that validates user names and passwords 


3+Open Start 


A Server service that allows netstations to start up and log 
on to the network automatically, eUminating the need for 
individual start-up diskettes. 


3+Open Backup 


A Server service that allows network administrators to back 
up server and netstation program and data files onto tape, 
and to restore stored files back to the servers and netstations 
when necessary. 
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Entry Level LAN Manager 

Our "Entry" system is a special version of LAN Manager, called 3+Open LAN 
Manager Entry System, (referred to as the Entry Level LAN Manager in the rest of 
this book), consisting of one server and up to five netstations. Throughout this 
manual and other MS OS/2 LAN Manager manuals are references to special 
properties of this product. For example, since there is only one server on an Entry- 
Level LAN Manager local area network, the name of the server is set as server. 
You cannot change the name. 



DOS LAN Manager 

Computers running DOS can use the same local area network as computers running 
MS OS/2. DOS LAN Manager lets DOS computers use resources shared by MS 
OS/2 LAN Manager servers. DOS LAN Manager also provides some features of 
MS OS/2 LAN Manager such as automatic reconnection (reestablishing a 
connection you haven't used in a while) and network pathnames (using a resource 
without first making an explicit connection). 

DOS computers running the MS-Net, 3+, or PC-LAN local area network software 
can also use resources shared from MS OS/2 LAN Manager servers. The advanced 
features of LAN Manager, however, are not available to these netstations. 
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How LAN Manager Uses Names 

LAN Manager employs a variety of names to help users and programs identify 
locations and actions on the local area network. 



Computer Names and Sharenames 

To identify the computers on the local area network, LAN Manager uses computer 
names. Each netstation and server has a unique computer name. A computer name 
can identify the primary user of the computer or the main task for which the 
computer is used. For instance, the computer name for a server from which you 
were sharing several laser printers might be lasers. Administrators should assign 
computer names to netstations and servers. 

When administrators share a resource they assign it a sharename. A sharename can 
identify the type of resource being shared (such as disk or printer) or the use 
intended for the resource (such as reports or figures). A sharename cannot be used 
twice on the same server but can be used on different servers on the local area 
network. 

You can identify any shared resource on the local area network by combining the 
sharename of the resource with the computer name of the server from which the 
resource is shared. This combination is called the network path of the shared 
resource. Network paths consist of two backslashes, the computer name of the 
server, another backslash, and the sharename of the shared resource 
(S\computername\sharename). Network paths are used with LAN Manager and 
OS/2 commands and applications. 



User Names and Aliases 

Just as computers and resources have names, users have names to identify them. 
Each user's username is unique. As administrator, you will assign user names to 
all users on the local area network. User names are essential for assigning 
permissions to shared resources and sending messages to users. 

An alias is a name that can receive messages sent across the local area network. 
Any number of aliases can be added to a netstation or server. 
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Security for Shared Resources 

When you share a resource, you assign it permissions that govern who can use that 
resource and how they can use it. Permissions for a server's shared resources 
work in one of two ways, depending on whether the server is running with user- 
level security or share-level security. See Chapter 8: Managing User-Level 
Security and Chapter 9: Managing Share-Level Security. 



User-Level Security 

With user level security, each user has a set of permissions for each shared resource 
he or she can use. One shared resource can have as many different sets of 
permissions as there are users who can use the resource. Each user has an account 
on each server they can use. Accounts identify the user to the server and specify 
one of three privileges: guest, user, or administrative. The privilege associated with 
a user's account, along with that user's permissions for a shared resource, 
determines how the user can use the shared resource. 



Share-Level Security 

All users are subject to the same password and permissions: anyone who knows the 
password can use the shared resource. 



Log-on Security 

In addition to user level and share level security, LAN Manager provides log-on 
security This feature adds another layer of security to the local area network. Under 
log-on security, the user name and password that a user supplies when trying to log 
on to the local area network determine whether the user is granted access to the local 
area network as a whole, rather than on a per-server or per-resource basis. Log-on 
accounts can be stored on one server or distributed among several servers on the 
local area network. Once users pass through this log-on procedure, their use of 
resources is governed by the user-level or share-level security controls in force on 
individual servers. 

For more information on user-level, share-level, and log-on security, see Chapter 8: 
Managing User Level Security, and Chapter 9: Managing Share Level Security and 
Chapter 10: Managing Log-on Security. 
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What An Administrator Does 

The administrator of a local area network is responsible for setting up and 
maintaining all local area network resources. The person who takes on this 
responsibility should be the following: 

• An experienced user of OS/2 or DOS. 

• Able to use a word processing or text editing program. 

• Able to perform LAN Manager tasks from the OS/2 prompt or with the LAN 
Manager screen. 

This section describes the various responsibilities of an administrator. These 
include the following: 

• Planning and setting up the local area network. 

• Managing shared resources. 

• Controlling security and user accounts on the local area network. 

• Maintaining the local area network. 

• Educating users. 



Planning a Local Area Network 

There are a few things you need to consider when planning a local area network. 
First, you should know which resources each local area network user needs to 
access. Ask users these kinds of questions: 
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Shared Resources Issues 

• What kind of printer does your job require? 

• Do you need access to a modem? 

• Are there certain directories that the members of your department or group all 
need to use? 



Security Issues 

Next, you should probe security issues. Consider these types of questions: 

• Are there files that should be available to some users but not to others? 

• Should users who need to access these files be allowed to revise them or delete 
them? 

• Should certain devices be available only to a specific group of users? 



Server Needs 

Then decide how many servers your local area network needs and which files, 
directories, and devices should be on each server. Consider these types of 
questions: 

• How many computers are to be on your local area network? 

• Which users and groups of users need to use which resources? 

• How many users are to be local area network administrators? 

If you are using the entry-level LAN Manager product, your local area network can 
only have one server. 
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Device Needs 

Finally, try to estimate what the demand for printers and communication devices 
will be and determine whether you should create device pools. When you pool 
similar devices, LAN Manager searches for, and connects the user to, the first 
available device in the pool. This saves users the trouble of hunting around for an 
available device and assures that the devices you share will be available as quickly 
and as often as possible. 



Working with Other Network Products 

MS OS/2 LAN Manager software works with other local area network products as 
shown in figure 1-2. 



3+Open LAN Manager 
Server 



c 



MS-NET 
Server 



3+Open 
LAN Manager OS/2 
Netstation 



XENIX-NET 
Server 



3+Open 
LAN Manager DOS 
Netstation 



3 



[ 3+OS/2 I [ 

I Netstation I \ 



J 



IBM PC 
LAN Program 
Netstation 



J 



MS-NET DOS 
Netstation 



c 



3+ Macintosh 
Netstation 



3+ 
Server 



3+ DOS 
Netstation 



J 



Figure 1-2. Mixed Network Products Diagram 
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In a local area network of mixed products, some LAN Manager features are not 
available to other netstations. For example, you cannot send network 
administration commands to an MS OS/2 LAN Manager server from a DOS LAN 
Manager netstation. For the most part, however, any netstation on the local area 
network can connect to, and use resources of, an MS OS/2 LAN Manager server as 
long as both systems are running the same network transport protocols. 3+ for 
Macintosh netstations can run on mixed 3+Open and 3+ networks. Macintosh 
netstations may only use a 3+ Server, however, any other netstation can share 
information with the Macintosh netstation by accessing the data from the 3+ server. 



Managing Shared Resources 

Shared resources like printers, modems and hard disks, need a fair amount of 
maintenance. You need to make sure that users don't waste disk space by filling up 
shared directories with nonessential files and directories. For shared printers and 
communication devices, you need to tend to the mechanical requirements of the 
printer, such as paper and toner or ribbons, and to monitor the workload on the 
devices to assure users won't have to wait an unreasonable amount of time before 
they can use the device. 

You can share a server's software and memory, letting users run programs on the 
server while doing other work on their netstations. You must keep server 
performance in mind, however, when you do this, if too many users run large 
programs at once, the server may bog down or stop. You decide which programs 
can be run, who can run them, and how many can run at one time. 

Once you've determined which resources to share and how to maintain them, you'll 
need to develop a security system for these shared resources. The next section 
explains more about controlling the security of resources on the local area network. 
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Controlling Security on the Network 

One of your chief responsibilities as administrator is maintaining security on the 
local area network. You are responsible for deciding whether each server will use 
user level security, which controls the access of each user to each resource, or share 
level security, which lets you assign passwords to control access to resources. You 
are also responsible for assigning access rights to resources and for adding user 
accounts to the local area network. 



Accounts and permissions 

For a user to be able to use a user level server and its resources, you must create a 
user account for that person on the server. In addition to creating accounts for new 
users, you need to maintain existing user accounts to be sure users have the 
appropriate level of privilege and the necessary permissions to use needed shared 
resources. You can simplify the job of managing security on the local area network 
by creating groups of users and then setting permissions for each group. With 
groups, you can assign one set of permissions to a large number of users, instead 
of to many individual users of the same resource. Chapter 8: Managing User Level 
Security explains how to create and modify user accounts, assign passwords, and 
create groups. 



Permission Considerations 

Once all the local area network users have accounts, you need to assign permissions 
for the shared resources. You'll need to consider the following: 

• Whether a server is running with user level or share level security. 

• Who needs to use the shared resources of the server, and in what manner. 

Chapter 8: Managing User Level Security and Chapter 9: Managing Share Level 
Security discuss user level and share level security. 
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Security for DOS Netstations 

DOS netstations are subject to the security measures of MS OS/2 LAN Manager 
servers. While DOS LAN Manager, MS-Net, and PC-LAN have no allowance for 
user names or user accounts, an MS OS/2 LAN Manager server maintains an 
account under the netstation's computer name. 



Maintaining the Local Area Network 

The administrator's job is not over when the local area network is set up and all of 
the user and group accounts are in place. The administrator's on-going role is to 
maintain the local area network and monitor its activities. Chapter 12: Monitoring 
and Troubleshooting Server Operations shows you how to use a server's statistics 
and logs to diagnose problems. 

Over time, your local area network will change. You'll need to add and remove 
user accounts, computers, and resources. As changes occur, you'll be responsible 
for tuning the local area network to operate efficiently. The 3+Open Network 
System Guide explains how you can improve the way your server functions by 
modifying entries in the LANMAN.INI file. 

Virtually any task you can perform as administrator on a local server you can also 
perform on a network server without leaving your MS OS/2 netstation. This ability 
to control network servers can simplify your work as an administrator. Chapter 11: 
Administrating a Network Server discusses network administration. 

DOS LAN Manager, MS-Net, and PC-LAN netstations cannot perform network 
administration. 
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Educating Users 

The goal of all your work as an administrator is to bring people and resources 
together as effectively as possible. To this end, you need to educate users about the 
specific requirements and features of the local area network and about the habits and 
etiquette that are appropriate on a local area network. 

You need to educate users about the following: 

• How to find and use the various resources available on the local area network. 

• What they should or should not do with shared resources. 

For instance, you should tell users not to remain connected to shared modems when 
they're not actually using them, and not to use shared directories as dumps for 
software they no longer want on their own computers. Much of this type of 
education you can accomplish by providing accurate, detailed remarks to 
accompany servers and shared resources. 

DOS LAN Manager, MS-Net, and PC-LAN users require extra information. These 
people cannot look at server resources; they must know the exact name of a 
resource before connecting to it. You must provide this information. 



Local Area Network Etiquette 

Although each local area network has its own requirements for ensuring smooth 
operation, general guidelines for users to learn include the following: 

• Respecting the needs of other users by not monopolizing resources. 

• Closing shared files after working with them. 

• Changing passwords frequently and keeping them secret. 
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Using Menus and Commands 

There are two ways you can work with LAN Manager: 

• Use the menus and dialog boxes of the LAN Manager screen. 

• Type commands and options at the OS/2 prompt. 

The LAN Manager screen is a full-screen graphic interface that displays resources 
and actions and lets you select the ones you want. The major advantages of the 
LAN Manager screen are the following: 

• Interactive menus and dialog boxes guide you through the various LAN 
Manager procedures. 

• No need to memorize complicated commands or syntax. 

When you first start administrating a local area network with LAN Manager, you'll 
probably feel more comfortable using the LAN Manager screen for most of your 
work. Later, when you're familiar with LAN Manager and want to start writing 
batch files to automate administrative tasks, you can start learning LAN Manager 
command syntax. (For detailed information on LAN Manager commands and batch 
files, see the 3+Open MS OS/2 LAN Manager Administrator Reference.) 

For more specific information on how to use the LAN Manager screen menus and 
commands, refer to Chapter 2 in the 3+Open MS OS/2 LAN Manager User Guide. 
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Using the LAN Manager Screen 

The LAN Manager screen provides a system of menus and dialog boxes that guide 
you through the various LAN Manager tasks. 

Before you select a menu to start a task with the LAN Manager screen, and after 
you complete a task and have cleared all menus and dialog boxes from the screen, 
you see the LAN Manager screen background panel: 



Vieu Message Config Status Accounts Fl^Help 
Microsoft OS/2 LAN Manager 1.8 



Vour username". ADMIN Administering'. WPRINT1 

Vour computer name : WPJUNT1 0 remote administrators 

0 netuork files are open. 0 shared files are open. 



Server operating in user security mode. 

0 users are logged on. 
0 bad password attempts. 
0 errors have occurred. 



Press the ALT key to select a menu 

Figure 1-3. LAN Manager Screen Background Panel 
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The Background Panel 

The background panel shows you: 

• Your user name. 

• Name of your server. 

• Name of a network server, if you are using the LAN Manager screen to issue 
commands on that server. 

• Number of local area network resources that you are using on other servers. 

• Number of local area network resources on your server that others are using. 

• Security mode of your server (share level or user level). 

• Status of the local area network. 



Starting the LAN Manager Screen 

You can start the LAN Manager screen in any of three ways: 

• By typing NET at the OS/2 prompt. This starts the user version of the LAN 
Manager screen, the same version used by netstations. 

• By typing NET ADMIN at the OS/2 prompt This starts the administrator 
version of the LAN Manager screen, which adds extra server functions to the 
general user version of the LAN Manager screen. 

All discussion of the LAN Manager screen in this manual refers to the 
administrator version except where otherwise noted. A quick way to verify that 
you are in the administrator version of the LAN Manager screen is by checking 
the menu bar at the top of the screen: If there are five menus listed, then you are 
in the administrator version; if there are only four, then you are in the user 
version, which is lacking the Accounts menu. 
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• By typing NET CONSOLE at the OS/2 prompt This starts the server console 
version of the LAN Manager screen, a limited-access screen that lets users 
perform selected low-security LAN Manager functions at an unattended server 
console. 

The console version of the LAN Manager screen is useful for giving users 
limited access to certain server functions. For example, an unattended server 
running the console version in a printer room could let users check on the status 
of their print jobs. 

For more information about the user version of the LAN Manager screen, see the 
3+Open MS OS/2 LAN Manager User Guide. For more information about the 
server console version of the LAN Manager screen, see Appendix B: LAN 
Manager Screen Console Version. 



Using the LAN Manager Screen 

When you use the LAN Manager screen, you move through a series of displays, 
making selections and entering information. You encounter two types of displays: 

• Menus. 

♦ Dialog boxes. 

As you work with the LAN Manager screen, you can press [Esc] at any time to 
cancel the current operation. To clear all the menus and dialog boxes from the LAN 
Manager screen, keep pressing [Esc] until you see just the background panel. 
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LAN Manager Menus 

A menu is your starting point for any LAN Manager operation. The names of the 
available menus appear at the top of the LAN Manager screen: 



Table 1-2. LAN Manager Menus 



Menu 


Purpose 


View 


Displays the names of servers and shared resources across the local 
area network and at your own server; lets you make connections to 
shared resources; lets you examine print and communication queues; 
lets you exit the LAN Manager screen. 


Message 


Lets you send messages to other users; lets you read messages that 
have "been sent to you; lets you specify aliases and message log files. 


Config 


Lets you save or restore a prearranged set of connections; lets you 
change your password or stop LAN Manager altogether. 


Status 


Displays status information about your server and the 
local area network. 


Accounts 


Lets you set or change permissions for shared resources and user 
accounts on your server. 



For more specific information on how to use LAN Manager menus and commands, 
refer to Chapter 2 in the 3+Open MS OS/2 LAN Manager User Guide. 



LAN Manager provides more information when you need it by displaying 
information or error messages and providing on-line help for both the LAN 
Manager screen and LAN Manager commands. 
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On-Line Help 

Whether you are performing local area network tasks using the LAN Manager 
screen or LAN Manager commands, you can get additional information or help. 
When you are working in the LAN Manager screen, you can press the [Fl] key to 
get context-sensitive help. For example, if you are working in the Device Status 
dialog box and press [Fl], information is displayed about using that particular 
dialog box. This facility also includes an index from which you can choose topics 
of interest to you, including general information about how to use menus and dialog 
boxes. 

LAN Manager also provides a special help command with LAN Manager 
commands. To get information about using a particular LAN Manager command, 
type NET HELP followed by the command name. If the command begins with the 
word net, type NET HELP followed only by the second word of the command. 
For example, if you want more information about using the NET USE command, 
type: 

net help use 

LAN Manager displays the following information: 

The syntax of this command is : 
net use [device I Wcomputer name\sharename] 
net use [device] Wcomputer name \sha rename [password] 
[/print | /comm] 

net use [device I Wcomputer name \sha rename] /delete 
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You can also type NET HELP by itself to get a listing of topics for which NET 
HELP is available: 



Help is 


available on: 








AT 


COMPACT NET 








Help on 


the following NET commands 


is available: 


ACCESS 


ADMIN 


AUDIT 


COMM 


CONFIG 


CONSOLE 


CONTINUE 


COPY 


DEVICE 


ERROR 


FILE 


FORWARD 


GROUP 


HELP 


LOAD 


LOG 


LOGOFF 


LOG ON 


MOVE 


NAME 


PASSWORD PAUSE 


PRINT 


RUN 


SAVE 


SEND 


SEPARATOR 


SESSION 


SHARE 


START 


STATS 


STATUS 


STOP 


USE 


USER 


VIEW 











Error Messages 

If you type a LAN Manager command with an option that LAN Manager doesn't 
recognize, you will see an error message in this form: 

NET####: Message text 

#### is a four-digit number that uniquely identifies the LAN Manager message. 
Message text is a short message that describes the error. 

You can use the OS/2 HELPMSG command to get further information about any 
LAN Manager message that appears at the OS/2 prompt. To get more information, 
type the HELPMSG command followed by the message identification (NET####) 
For example, suppose you meant to type the NET START command but instead 
typed the following: 



net strat 
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This message would display: 

net2622: This command is unknown. 

Type: 

net help 

to view a list of commands. 

To get more information about the message itself, type: 

helpmsg net 2 622 

LAN Manager then displays an explanation of the message and a suggestion for the 
action you should take next. 

When you are working in the LAN Manager screen, messages are displayed by 
message boxes. Some of the messages displayed are the same as those LAN 
Manager displays at the OS/2 prompt. Other messages displayed are specific to the 
LAN Manager screen. To get more information about a message displayed by the 
LAN Manager screen, press [Fl]. 
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Chapter 2: Starting and Using 
Network Services 

In this chapter, you will learn how to: 

• Start and stop the services that comprise OS/2 LAN Manager. 

• Log on to and off from the local area network. 

• Pause and continue certain LAN Manager services. 



LAN Manager Services 

In Chapter 1 you learned that the LAN Manager software consists of separate 
programs, known as services, that provide the main functionality of LAN Manager. 

The most fundamental services are the Workstation service and the Server service. 
The Workstation service establishes and controls communication between the local 
area network and a personal computer netstation. From a netstation, a user can 
access shared resources on the local area network. 
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A computer must be running the Workstation service in order to run the Server 
service. The Server service provides the software that turns a netstation into a local 
area network server. From a server, an administrator can manage shared resources, 
assign permissions and privileges, and monitor activity on the local area network. 



Starting LAN Manager Services 

Before you can use local area network resources, you must: 

• Install and start the OS/2 LAN Manager software that connects and identifies 
your computer to the local area network. 

• Log on to the local area network to identify yourself to the local area network. 

Starting the Workstation service identifies a computer to the local area network. 
Starting the Server service lets you share resources from your computer with users 
of the local area network. Depending on your needs, you may also choose to start 
one or more of the other services when you start the Server or Workstation service. 

When you start LAN Manager in one OS/2 session, it affects not only that session, 
but all other sessions you have started or will start. Likewise, any local area 
network connections you make with LAN Manager can be used from any of your 
OS/2 sessions or even from the DOS session. The restriction is that you can only 
type LAN Manager commands from any of your OS/2 sessions, and not from the 
DOS session. See the 3+Open MS OS/2 LAN Manager User Reference for more 
information about the OS/2 and DOS sessions. 



The NET START Command 

To start any of the LAN Manager services, use the NET START command with the 
following option: 

net start service 

service is the service that you are starting. 
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For example, to start the Messenger service, type: 
net start messenger 

You can also type the NET START command by itself to see which services are 
currently running on your computer: 

net start 

A display like this appears: 

The following LAN Manager services are running: 
WORKSTATION MESSENGER NETPOPUP 

The coinmand completed successfully. 

You can also modify your STARTUP.CMD file to start LAN Manager services 
automatically when you start your computer. 



Starting Services Automatically 

If no services are running when you type the NET START command by itself, 
LAN Manager asks if you want to start the workstation software. Type the [Y] and 
press the [Enter] key to start the netstation. 

When you type a LAN Manager command, LAN Manager automatically checks to 
see if all the services necessary for that command are in fact running. If a required 
service is not running, LAN Manager tells you that it needs a particular service to be 
started in order to run your command. In many cases LAN Manager offers to start 
the service for you. For example, if you haven't yet started the Workstation service 
when you type the NET LOGON command, this message appears: 

WORKSTATION not started. 
OK to start it? (Y/N) : [Y] 

Type [Y] and press [Return] to start the Workstation service before NET LOGON 
runs. 
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Many LAN Manager prompts offer a default response. The default is the response 
option enclosed in brackets. To accept the default response, simply press [Enter]. 

For more information about commands that automatically start LAN Manager 
services, see the 3+Open MS OS/2 LAN Manager User Reference and the 3 +Open 
MS OS/2 LAN Manager Administrator Reference. 



Using the LANMAN.INI File to Start Services 

You can modify your LANMAN.INI file to start services automatically when you 
start the Server or Workstation service. This lets you avoid having to type a 
separate command for each service you want to start. 

The 3+Open Installation and Setup Program, along with other installation programs 
from other 3+Open services like 3+Open Start and 3+Open Backup automatically 
change wrkservices and srvrservices as they are installed. 

There are two entries in the LANMAN.INI file that you can change to start services 
automatically. You can change the wrkservices= entry to start certain services 
automatically when you start the Workstation service. You can also change the 
srvservices= entry to start services automatically when you start the server. 

For example, to start the Messenger and Netpopup services each time you start the 
netstation, you would edit the wrkservices= entry in your LANMAN.INI file to 
read as follows: 

wrkservices=mes senger , netpopup 

Then, after starting the Workstation service, you could type NET START to see 
which services were running. You would see the following display: 

The following LAN Manager services have been started: 
WORKSTATION MESSENGER NETPOPUP 



The command completed successfully. 
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Logging On to the Local Area Network 

After connecting your computer to the local area network by starting the 
Workstation service, you should identify yourself to the local area network by 
logging on with your user name and password. 

Logging on lets you access resources shared by servers on the local area network 
that run user-level security. LAN Manager uses the user name and password you 
provide to verify your permission to use various shared resources. Permissions are 
contained in your user account and are assigned by the server's administrator. 

If you want to use a resource shared by a server running share-level security, you 
must supply the password for that particular shared resource rather than your user 
account password. (This is the essential difference between share-level and user- 
level security.) 

For more information about setting up user accounts, see Chapter 8: Managing 
User-Level Security. 



NET LOGON Command 

To log on to the local area network, use the NET LOGON command with the 
following options: 

net logon username [password] 

usernome is your user name. 

password is your log-on password (if you have one). 

For example, when Mike Greenbaum wants to log on to the local area network, he 
types: 



net logon mikeg wkendorbust 
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This tells LAN Manager that when Mike wants to use a shared resource, LAN 
Manager should check his account (mikeg) to see if he has permission to use the 
resource. LAN Manager also looks at Mike's password, wkendorbust (Mike likes 
weekends), to verify that the person logging on is Mike. 

If you forget to log on before typing a LAN Manager command that requires your 
user name or password, LAN Manager automatically prompts you to log on by 
displaying these messages: 

Type your user name, or press ENTER if it is <default>: 
Enter your password: 

In the first message, <default> is the user name defined in the user name= entry of 
your LANMAN.INI file. When you type your user name, or accept the default by 
pressing [Enter], the second message appears. When you type the correct logon 
password for your user name, LAN Manager logs you on to the local area network, 
then performs your command. 



Logging On from the LAN Manager Screen 

When you start the LAN Manager screen without logging on first, the Log Into 
Network dialog box appears. 

Follow these steps to log on using this dialog box: 

1 . In the Username text box, type your user name, or accept the default user 



2 . In the Password text box, type your password, if you have one. 

3 . Choose the OK command button. 

The LAN Manager screen now displays your user name in the upper left part of the 
screen once you are logged on. 



name. 



Starting and 
Using Network 
Services 




2-7 



Example 

Mike Greenbaum never uses the NET LOGON command. He prefers to have LAN 
Manager prompt him to log on when he starts the LAN Manager screen. When 
Mike arrives in the morning, he types NET START SERVER at his server. This 
automatically starts the Workstation and Server services. Mike then types NET 
ADMIN to start the LAN Manager screen. When the LAN Manager screen 
appears, it displays the Log Into Network dialog box. Mike accepts the default user 
name (mikeg), types his password in the appropriate text box, and chooses the OK 
command button to log on to the local area network. 



Logging Off from the Local Area Network 

On most local area networks, it is important to keep security issues in mind. 
Logging off from the local area network is one way to ensure that your account 
won't be used by anyone else to gain access to confidential files or other secured 
resources. Because your administrative privilege allows you to do so many things 
on the local area network, it is especially important that you log off from the local 
area network when you leave your computer. 

You should log off from the local area network: 

• When you are going to be away from your computer for an extended amount of 



• When someone else is going to log on to the local area network from your 
computer. 

Only one person can be logged on to a netstation or server at a time. If you are 
sharing a computer with someone, only one of you can be logged on to the local 
area network from that computer at any given time. 



time. 
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When you log off from the local area network, two things happen: 

• All connections between your computer and shared resources are ended. (LAN 
Manager asks for your approval before actually ending the connections.) 

• Your user name is removed from message-alias and forwarded-alias lists for 
your computer. 

Logging off 

To log off from the local area network, do the following: 

1 . Select the Config menu and choose the Logoff menu item. 
A message box appears, displaying a confirmation. 

2 . Choose the OK command button to clear this message box from the screen. 



You can also use the NET LOGOFF command to log off from the local area 
network. At the OS/2 prompt, type: 

net logoff 



Changing Your Logon Password 

It is a good idea to change your logon password regularly. This makes it harder for 
someone to learn your password so as to log on to the local area network with your 
user name. LAN Manager lets you change your default password for any server. 



NET LOGOFF Command 
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To change your password, follow these steps: 

1 . Select the Config menu and choose the Change password menu item. 



The Change Logon Password at a Server dialog box appears. 

2 . Select the name of the server on which you want to change your password 
from the Visible servers list box, or type the server's computer name in the 
Servername text box. 

3 . If your user name is not already displayed, type your user name in the 
Username text box. 

4 . Type your existing password and your new password in the corresponding 
text boxes. 

The new password cannot be the same as the old password. 

5 . Choose the OK command button. 
Example 

Mike Greenbaum changes the password for his account on the mis server on the 
first of each month by selecting the Config menu and choosing the Change 
password menu item. When the Change Logon Password at a Server dialog box 
appears, he types mis in the Visible servers text box, types his old password in the 
Old password text box, and types his new password in the New password text 
box. When he chooses the OK command button, LAN Manager changes his 
password on the mis server. 
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NET PASSWORD Command 

To use LAN Manager commands to change your password for a server, use the 
NET PASSWORD command with the following options: 

net password \\computername username oldpassword 
newpassword 

computername is the server on which you are changing your password. 
username is your user name. 
oldpassword is your current password on the server. 
newpassword is the new password on the server. 



Pausing and Continuing Services 

You will occasionally need to pause a local area network service after you have 
started it. A paused service stops processing new requests. For example, if you 
wanted to turn off the server in an hour but wanted to be sure the printer and 
communication-device queues were empty first, you could pause the server. The 
existing requests in the queues would be processed, but the server would accept no 
new requests. 

LAN Manager allows you to pause four services — Workstation, Server, Netrun, 
and Netlogon. You cannot pause other services. 

Pausing the Workstation service temporarily disables use of all network printer and 
communication device queues. 

When you pause the server, no new requests to use a resource are accepted. 
Currently opened or outstanding requests for resource-sharing, however, are not 
affected. 
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When you pause the Netlogon service on a server, the server stops checking log-on 
information for other computers on the local area network. The server does 
continue to check its own user and group accounts to verify access permissions for 
users. 

For more information about access permissions, see Chapter 8: Managing User- 
Level Security. For more information about log-on security, see Chapter 10: 
Managing Log-on Security. 



Pausing a Service 

You can pause the Workstation, Server, Netrun, or Netlogon service by using the 
NET PAUSE command with the following option: 

net pause service 

service is the Workstation, Server, Netrun, or Netlogon service. 
For example, to pause the Server service, type: 
net pause server 



Continuing a Service 

You can continue a paused Workstation, Server, Netrun, or Netlogon service by 
using the NET CONTINUE command with the following option: 

net continue service 

service is the Workstation, Server, Netrun, or Netlogon service. 
For example, to restart the paused Server service, type: 
net continue server 



2 
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Example 



If Mike has just sent a document to a spooled printer queue when Mary pauses the 
server, the print job is not affected. However, if Mike sends another document to 
print after Mary pauses the server, LAN Manager denies Mike access to the printer. 



If you find you no longer need to have a particular service running, you can stop 
that service. Stopping a service removes that service's program from your 
computer's memory. You can stop any service except the Workstation service and 
still continue running the Server service on your computer. 

If you want to stop sharing resources with the local area network, you can stop the 
Server service. Note that when you stop the Server service, any service that you 
started automatically when you started the server will now stop automatically. (Y ou 
can specify services to start automatically when you start the server by adding 
service names to the srvservices= entry in the LANMAN.INI file.) 

If you want to stop using the local area network altogether, you can stop the 
Workstation service. When you stop the Workstation service, all other services are 
stopped automatically. LAN Manager logs you off from the local area network 
and, with your approval, breaks any connections between your computer and 
shared resources. 



Stopping a Service 
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You can stop the Netrun, Spooler, Alerter, or Server services from the LAN 
Manager screen. To stop any one of these services, follow these steps: 

1 . Select the Config menu and choose the Server options menu item. 



The Set Server Configuration dialog box appears. 

2 . Move the cursor to the appropriate check box and remove the X mark to stop 
the corresponding service. 



Table 2-1. Configuration Table 



Checkbox 


Service 


Netrun Service 


Netrun 


Print Spooler 


Spooler 


Admin Alerter 


Alerter 


Start Server 


Server 



3 . Choose the OK command button. 



NET STOP Command 

You can also stop any of the LAN Manager services from the OS/2 prompt. To 
stop a LAN Manager service, use the NET STOP command with the following 
option: 

net stop service 



service is the name of the service you want to stop. 
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Chapter 3: Managing Shared Resources 

The main reason people set up local area networks is so that a person at one 
computer can use resources attached to another computer. Administrators make 
resources such as printers and directories available to local area network users. 
This process is known as sharing resources. 

In this chapter you will learn: 

• How to share resources with the local area network. 

• How to pause and continue sharing resources. 

• How to modify the STARTUP.CMD file to share resources automatically. 

To be able to perform the actions described in this and subsequent chapters, you'll 
need to know how to use the menus and dialog boxes of the LAN Manager screen. 
For detailed information on using the LAN Manager screen, see Chapter 2 in the 
3+Open OS/2 LAN Manager User Guide. 
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About Shared Resources 

When you set up your local area network, you'll want to make printers or other 
devices available to local area network users. LAN Manager allows you to share a 
server's directories, printers, and communication devices with users of the local 
area network. 



Local Versus Network Devices 

When you use a disk drive or printer that is physically attached to your computer, 
you are using a local device. Local devices are identified to the computer by device 
names such as LPT2: COM1: and (for a disk drive) C:. 

With LAN Manager, users can use network devices, connected to a server 
elsewhere on the local area network, in addition to local devices. Users connect to 
network devices and then use them just as they would use local devices. 



About Sharenames 

When you share one of your local resources with the local area network, you assign 
it a sharename. Users connect to your shared resources by attaching one of their 
local device names to the sharename. Thus, if you shared a laser printer that had 
the local device name LPT2: on your computer under the sharename laser ; local area 
network users would connect to laser by attaching one of their local device names 
(such as LPT1:) to that sharename. 

Example 

Mary Sullivan wants to share the Lanhints directory on drive C: of her server 
(mis). To do this, she assigns the sharename hints by typing: 

net share hints=c : \ lanhints 

This makes the directory available to local area network users. 
Later, Jenny Tibbett wants to use files in that directory, so she types: 




net use m: \\mis\hints 
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This connects one of Jenny's local device names (M:) to a disk resource (hints) 
shared by a server (mis). 

MS OS/2 imposes restrictions on device names. The following table shows the 
possible device names for each type of device: 



Table 3-1. OS/2 Device Names 



Type of Device 


Possible Device Names 


Spooled printers and (nonspooled) 
Communication Devices 


LPT1:, LPT2:, LPT3:, COM1:, COM2: 


Disks 


A:, B:, C:, . . Z: 



Sharenames are not so restricted. You could, for example, share a spooled printer 
as laser, share a communication device as modeml , and share a directory as 
accounts. The example above further illustrates this point. 



Types of Shared Resources 

LAN Manager allows you to share four kinds of resources: 

• Disk directories. 

• Spooled printer queues. 

• Communication-device queues. 

• Reserved administrative resources. 

Each type of resource has to be shared in a slightly different way. The next few 
sections describe how LAN Manager works with each of these different types of 
resources. 
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Disk Directories 

LAN Manager allows you to share either the root directory or a subdirectory with 
users of the local area network. 

To share all directories on a disk, you specify the root directory of that disk. For 
example, to share all directories on drive C:, you would specify this device name: 

C:\ 

To share the contents of a single directory on a disk, you must specify the drive 
letter plus a path. For example, to share the Memos directory on drive D:, you 
would specify: 

D : \memo s 

If you shared this resource with a user, that user would be able to access all of the 
directories and files in the Memos directory. 

For more information about sharing directories, see Chapter 4: Managing Shared 
Directories. For information about assigning permissions to shared directories, see 
Chapter 8: Managing User-Level Security. For information about assigning 
passwords to shared directories, see Chapter 9: Managing Share-Level Security. 



Printers and Communication Devices 

Before you can share communication devices or printers with the local area 
network, you must create queues for those devices. With LAN Manager, you don't 
actually share the device — you share a queue that routes requests to the device. 



Sharing Device Queues 

LAN Manager uses queues to control the traffic to printers and communication 
devices. Queues are necessary for printers and communication devices because 
only one user at a time can use these resources. Queues are not necessary for disk 
resources because several users can use the same shared directory simultaneously. 
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If three different users all want to use the same shared printer at the same time, then 
obviously two of them are going to have to wait. The queue for that printer stores 
the requests, and then sends them on to the printer one by one in the same order as 
they came in. 



Request "| 
Request | 




All Request 
Get Number Here 



Request "| Request j 



Figure 3-1. How Printer Queues Work 
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Device Pooling 

LAN Manager allows you to direct a single queue to two or more similar devices. 
This is called device pooling. When you direct a queue to a pool of devices, LAN 
Manager automatically searches the pool for an available device and sends your 
request to that device. 

Device pooling makes it easy for you to create queues and assign permissions. It 
also helps users by making optimum use of available resources. 

For more information about device pooling, see Chapter 5: Managing Shared 
Printers and Chapter 6: Managing Shared Communication Devices. 



Reserved Administrative Resources 

In addition to disk, printer, and communication-device resources, LAN Manager 
allows you to share certain special resources with reserved sharenames that end 
with the $ character. These resources let administrators perform certain tasks over 
the local area network. 



IPC$ and ADMIN$ 

The first two reserved administrative resources are called IPC$ and ADMIN$. 
LAN Manager automatically shares both of these resources for you when you start 
a user-level-security server. 

If you start a server with share-level security, LAN Manager does not share IPC$ 
and ADMIN$ automatically. Since administrators can assign passwords to 
resources on share-level-security servers, LAN Manager lets you assign a 
password for these resources when and if you decide to share them. 

IPC$ is a shared resource that lets users run programs in the server's memory. 
You must also share IPC$ to allow network administration of the server and to 
allow users to view a list of the server's resources from another computer on the 
local area network. For more information about the IPC$ resource, see Chapter 7: 
Managing Shared Programs. 
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ADMIN$ is a shared resource that lets an administrator perform administrative tasks 
on one server from another netstation or server on the local area network. When 
you connect to the ADMIN$ resource, you are automatically regarded as an 
administrator for that server. For more information about network administration, 
see Chapter 11: Administrating a Network Server. 

LAN Manager also reserves sharenames for each drive on a server. These 
sharenames combine a drive letter with the $ character. Thus, for a server with 
drives A through D, LAN Manager reserves sharenames A$, B$, C$, and D$ and 
automatically shares them. An administrator can use one of these shared resources 
to view the directories and files of a particular disk on the server from a network 
computer on the local area network. 

To find out which resources a server is currently sharing, you can use the LAN 
Manager screen to view a list of shared resources. You can also add or delete an 
item or modify the status of resources currendy shared by a server. The following 
sections explain how to use the LAN Manager screen to do these things. 



Listing Shared Resources 

Listing shared resources lets you see which of a server's resources are being shared 
with the local area network. When you want to share a new resource from your 
server, you should first check to see which resources you are currently sharing and 
what their corresponding sharenames are. 

To list the shared resources for your server, follow these steps: 

1 . Select the View menu and choose This server menu item. 

The Resources This Server Is Sharing With the Network dialog box appears. 

The list box in this dialog box shows the sharename, the path or device name, 
the resource type, and a remark for each shared resource. Below the list box 
is a check box that shows whether printer queues are paused or not. 
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There are three types of resources that can appear in this list box: 

• If the server is running user-level security, the reserved administrative 
resources IPC$ and ADMIN$ appear in the list of resources. 

• The reserved sharenames for the server's disk drives (A$, B$, C$, and 
D$) are always listed. 

• Any resources that you or another administrator have shared from this 
server are listed. 

2 . To see more information about a shared resource, select it from the list box 
and choose Zoom. 

The Shared Resource Information dialog box appears. 

This dialog box repeats all of the information for this resource that was 
available in the Resources This Server Is Sharing With the Network dialog 
box. It also shows the maximum number of users that can use this resource 
and lists all users who are currently using the resource. 

If your server is running with user-level security, the Admin only check box 
shows whether or not this is a resource that can be accessed only by 
administrators. For share-level servers, this dialog box shows permissions 
for this resource and contains a text box that you can use to change the 
resource's password. In fact, you can change any of the information that 
appears in a text box. 
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Example 

Mary Sullivan is sharing a new resource on the mis server. Before sharing the 
resource, she wants to see how the server is currently set up. In particular, she 
wants to find out which users are currently using shared resources on mis. She 
selects the View menu and chooses the This server menu item. In the list box of the 
Resources This Server Is Sharing With the Network dialog box, Mary sees only 
one printer queue. She selects it, and chooses the Zoom command button. In the 
Shared Resource Information dialog box, Mary sees that eight users are currently 
using the printer queue and that eight is also the maximum number of users that are 
allowed to use the resource at one time. Mary realizes that it's definitely time to 
share a new printer from this server. 



Using NET SHARE to Share Server Resources 

To list the server's shared resources, type the following command at the server's 
OS/2 prompt: 

net share 

You will see a display that resembles the list box in the Resources This Server is 
Sharing With the Network dialog box. 



Sharing Resources 

As an administrator, you decide when and how a resource should be shared with 
the local area network. To share a resource with local area network users, follow 
these steps: 

1 . Select the View menu and choose the This server menu item. 

The Resources This Server Is Sharing With the Network dialog box appears. 

2 . Choose the Add share command button. 

The What Would you like to share? dialog box appears. 
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3 . Select the option button that matches the type of resource that you want to 
share: 

• Disk directory to share a disk resource. 

• Spooled printer to share a printer queue. 

• Comm device queue to share a communication-device queue. 

• Admin share to share an IPC$ or ADMIN$ resource. 

4 . Choose the OK command button. 

Depending on which option button you select, one of four dialog boxes 
appears next. In the dialog box that appears, you can type specific 
information about the shared resource. For more information about sharing 
printer queues, communication-device queues, or disk directories, see 
Chapter 5, 6, or 7, respectively. 



Sharing IPC$ and ADMIN$ 

If your server is running share-level security, you can share IPC$ and ADMIN$ 
resources by selecting the Admin Share option button from the What Would you 
like to share? dialog box (see the preceding procedure.) User-level-security servers 
share IPC$ and ADMIN$ resources automatically when you start them. However, 
you can use this procedure to reshare one of these resources if you had stopped 
sharing it. 

To share IPC$ or ADMIN$ for a server with share-level security, follow these 
steps: 

1 . Select the Admin Share option button from the What would you like to share? 
dialog box and choose the OK command button. 




The Add a Reserved Administrative Share dialog box appears. 
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2 . Select one of the two option buttons: 

♦ ADMIN$. 

• IPC$. 



NOTE: To share both ADMINS and IPC$, you must complete this procedure 
twice. 



3 . Type a descriptive comment about the resource you want to share in the 
Remark text box. 

4 . Specify the maximum number of users that are to be able to access this 
resource at any one time in the Max.users text box. 

You can mark the No limit check box instead to allow unlimited access. 

5 . If the server is running share-level security, type a password for this shared 
resource if you want the resource to have a password. 



This is the password that users must provide in order to be able to use this 
resource. By assigning a password to ADMIN$ and revealing that password 
to only one or two administrators, you can restrict the number of people who 
can remotely administrate the server. 

6 . Choose the OK command button. 



NOTE: It's a good idea always to assign the same password both to BPC$ and 
ADMIN$. If these resources are shared with different passwords, and an 
administrator wanting to administrate the server remotely must explicitly use both 
IPC$ and ADMIN$ for that server before attempting to administrate the server. 
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Example 

Mary Sullivan set up the printl server to run with share-level security. Mary wants 
to be able to administrate printl from any other computer on the local area network, 
so she needs to share both the IPC$ and the ADMIN$ resources from the printl 
server. To do this, Mary selects the View menu and chooses the This server menu 
item. Next, she chooses the Add share command button to see the What would you 
like to share? dialog box. Mary selects the Admin share option button and chooses 
the OK command button. The Add a Reserved Administrative Share dialog box 
appears next. She selects the ADMIN$ option button, types in a description and 
password for the resource, and then chooses the OK command button to share the 
ADMTN$ resource. Mary repeats this procedure for the IPC$ resource, making 
sure to use the same password. 



Using NET SHARE to Share IPC$ and ADMIN$ 

To share IPCS and ADMIN$ from the OS/2 prompt, use the following LAN 
Manager commands from the server: 

net share IPC$ [password] 
net share ADM IN $ [password] 

password is the password you are assigning to this shared resource (if any). 
A password is relevant only for a share-level-security server. 

(Now Mary could share other resources on the printl server from the computer in 
her own office.) 
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Pausing Shared Resources 

Pausing shared resources lets you temporarily suspend network business. 
Specifically, you can pause: 

• A service, including the Server service. 

• One or all of the servers' spooled printer queues. 
.'A specific printer. 

When you pause the Server service, users cannot make any new connections to the 
server's shared resources, although current connections remain unaffected. 

Pausing a printer queue prevents requests from being passed on to the printers from 
a queue. Pausing a specific printer prevents new requests from being printed on 
that printer. Pausing gives a server exclusive use of its paused resources. 
Administrators can pause a server's printers, for example, to service the printers. 



Pausing Printer Queues 

To pause a server's shared printer queues, follow these steps: 

1 . Select the View menu and choose the This server menu item. 

The Resources This Server Is Sharing With the Network dialog box appears. 

2 . Mark the Pause all sharing check box to pause the server's printer queues. 
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Continuing Printer Queues 

When you are ready to continue sharing printer queues, follow these steps: 

1 . Select the View menu and choose the This server menu item. 

2 . Clear the mark from the Pause all sharing check box. 
Example 

A printer company is sending someone to MacroCorp to service the printers. The 
morning before the technician arrives, Mary sends mail to all users of the printl 
server saying she will be pausing all printer queues for the server at 1 p.m. At 1 
p.m. Mary selects the View menu and chooses the This server menu item. There, 
she marks the Pause all sharing check box. 

When the technician leaves, Mary again selects the View menu and chooses the 
This server menu item. This time she unmarks the Pause all sharing check box. 
Mary then sends mail to all the people who use the server, letting them know that 
the printers are available once again. 



Pausing a Printer 

To pause a spooled printer shared from your server, follow these steps: 

1 . Select the Status menu and choose the Device status menu item. 
The Shared Device status dialog box appears. 

2 . Select the printer you want to pause and choose the Pause command button. 



NOTE: You can only pause printers with the word spooled next to the device name 
in the list box. 
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Continuing a Paused Printer 

When you are ready to continue a paused printer, follow these steps: 

1 . Select the Status menu and choose the Device status menu item. 
The Shared Device status dialog box appears. 

2 . Select the paused printer and choose the Continue command button. 

NET PAUSE Command 

You can pause individual spooled printers from the OS/2 prompt. To pause a 
server's printers, use the NET PAUSE command with the following option: 

net: pause print [=devicename] 

devicename specifies a particular spooled printer. 

If you omit the devicename, all printers for that server are paused. 

NET CONTINUE Command 

To continue a paused printer, use the NET CONTINUE command with the 
following option: 

net continue print [=devicename] 

devicename specifies a particular spooled printer. 
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Stop Sharing a Network Resource 

Administrators also have responsibility for deciding when to stop sharing a 
resource with the local area network. You might opt to stop sharing a resource 
when it no longer meets users' needs or when sharing the resource poses a security 
problem. 

To stop sharing a resource, follow these steps: 

1 . Select the View menu and choose the This server menu item. 

The Resources This Server Is Sharing With the Network dialog box appears. 

2 . Select the resource you want to stop sharing. 

3 . Choose the Delete command button. 

A message box appears, prompting you to confirm your decision. 

4 . Choose the OK command button. 
Example 

During a busy period, MacroCorp rented some extra equipment for the temporary 
staff. Mary shared an extra printer from the printl server during this time. After a 
month, the company is ready to return the rented printer. To stop sharing the 
printer, Mary selects the View menu and chooses the This server menu item. In the 
Resources This Server Is Sharing With the Network dialog box, she selects the 
sharename of the rented printer and chooses the Delete command button. The 
printer promptly disappears from the list of shared resources. Mary can now 
disconnect the printer from the server. 
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Using NET SHARE to Stop Sharing Resources 

To stop sharing a resource from the OS/2 prompt, use the NET SHARE command 
with the following options: 

net share sharename /delete 

sharename is the name of the resource being deleted. 

/delete is the option that tells LAN Manager to delete the resource. 



Sharing Resources Automatically 

You may want to set up your server to share certain resources automatically each 
time you start the computer. The alternative is to share the various resources one by 
one every time you start the Server service. You can share resources automatically 
by placing NET SHARE commands in the computer's STARTUP.CMD file, 
immediately following the NET START SERVER command. NET SHARE is the 
command you would use at the OS/2 prompt to share resources. Commands in the 
STARTUP.CMD file are run whenever you start OS/2 on your computer. 



NOTE: This procedure is not recommended for resources being shared with a 
password, since this would require listing your passwod in the STARTUP.CMD 
file, where anyone can read it. You should share password-protected resources by 
typing out the individual NET SHARE commands when you start the server with 
share-level security. 



You can also use profile files to save NET USE, NET SAVE, NET COMM, and 
NET PRINT commands that you want to run automatically when you use the NET 
LOAD command with this option: 

net load filename 




filename is the name of the profile file. 
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For more information about using profiles, see the 3+ Open MS OS/2 LAN 
Manager User Guide. 

Example 

To automatically share a printer and the directories documents and memos each time 
the printl server is started, Mary places the following entries in the 
STARTUP.CMD file on the server: 



net 


start 


workstation 


net 


start 


server 


net 


share 


printer=lptl : 


net 


share 


docs=c : \documents 


net 


share 


memos=c : \ memos 
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Chapter 4: Managing Shared Directories 

3+Open LAN Manager lets administrators control access to a server's directories. 
You can share an entire disk, a disk's root directory, or any and all subdirectories 
on a disk. 

In this chapter you will learn to: 

• Start and stop sharing directories. 

• Manage shared directories. 

• List and close opened files. 

For more information about using shared disk devices, see the 3+Open MS OS/2 
LAN Manager User Guide. 
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Sharing Directories 

You can use LAN Manager to share some or all of a server's disk directories. You 
can also specify what individual users can or cannot do with a directory's contents. 
For example, you could allow one group of users to read files in a directory but not 
write to them, while allowing another group to write information to existing files 
but not to create new ones. 

For information about assigning resource permissions, see Chapter 8: Managing 
User-Level Security and Chapter 9: Managing Share-Level Security. 



How Users Use Shared Directories 

There are two ways local area network users can use shared disk directories. The 
first way is by assigning a drive letter not currently used for a local disk drive to the 
directory. For example, when Jenny Tibbett wants to use a shared directory with 
the sharename help from the mis server, she types: 

net use m: \\mis\help 

Then, to look at the contents of that directory, she types: 

dir m: 



Using a Network Path 

The second way for someone to use a shared directory is by using the network path 
for that resource. The network path is the computer name of the server followed by 
the sharename of the resource. For example, from time to time Mike Greenbaum 
needs to copy a file to a shared directory on the print! server. Mike does not have 
to type the NET USE command in order to connect to this directory. Instead, he 
can specify the network path by typing: 

copy report. feb \\print2\status\report . new 
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The difference is that Jenny goes to the extra trouble of assigning one of her device 
names to the shared directory, while Mike just specifies the shared directory's 
network path as though it were a local directory on his netstation. Either method is 
equally valid. 

Whether a user assigns a local device name or uses the network path of a disk 
resource, two things happen: 

• A connection is established between the user's computer and the server. 

• The user works from the server's directory as though it were a local directory 
(on the user's own computer.) 



Why Share Server Directories 

By snaring a server's directories, you can share data and programs with a number 
of people on the local area network. This provides for data integrity by ensuring 
that everyone has access to a single source. It also saves overall disk space by 
eHrninating the need for duplicate copies of files on everyone's computers. 

Sharing directories saves time. When users use shared directories to access files 
over the local area network, they no longer have to walk to another computer to 
look at a file or copy it to a floppy disk. 

Sharing directories also makes it possible for users to archive files on a server's 
hard disk rather than on floppy disks. Hard-disk storage is generally more reliable 
than floppy-disk storage. 



Organizing a Server's Disks 

Before you share directories over the local area network, you should decide how to 
organize them. Generally, you will be able to organize files into directories related 
to particular projects or groups of people. 
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Although it might seem easiest to share an entire hard disk (by specifying its root 
directory) with everyone on the local area network, it can be a mistake not to 
anticipate the organizational and security problems that can result. 

Be careful not to share directories that contain sensitive files or programs that 
should not be shared. Files that are confidential should either be kept on an 
individual's netstation or should be accessible only to appropriate individuals. 



NOTE: If security is an important factor, be sure to run the server with user-level 
security. This ensures maximum protection for your shared resources. For more 
information about user-level security, see Chapter 8: Managing User-Level 
Security. 



About Sharenames 

When you share a server's directory, you must assign it a sharename. A sharename 
does not have to be identical to the actual name of the directory you are sharing. A 
good sharename should describe the resource and be easy to remember. 



Maintaining a Shared Disk 

When you share directories on a server's hard disk, it is important for the disk to be 
well organized. If several people use the same directory for a lot of different 
projects, the directory will soon be a clutter of unrelated files. You should spend 
some time creating and sharing separate directories for different groups of users. If 
each user or group has a well-defined work area on the hard disk, it will be easier to 
keep files straight. 

Because several people can create files in a shared directory, it is likely that a 
server's hard disk will fill up much more quickly than a netstation's hard disk 
would. As administrator, you should closely monitor how much disk space is 
being used. (The LAN Manager Alerter service automatically tells an administrator 
when the server's disk is near full capacity.) To conserve disk space, you should 
encourage users to take inventory of their files from time to time and to delete files 
they no longer need. 
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Finally, it is important to back up all shared directories on a regular basis. You 
should have a backup copy for each of the server hard disks in case anything 
happens to the disks. It is also helpful to back up copies of files you no longer 
want on the hard disk. 

For information about creating backups using the BACKUP and RESTORE 
commands, see the 3+ Open MS OS/2 LAN Manager User Reference. 



Sharing Directories 

When you share a directory, you make all files and subdirectories of that directory 
available to specified users of the local area network. You might share a directory 
to make a group of files available to several users or to give users additional work 
space. 

To share a directory, follow these steps: 

1 . Select the View menu and choose the This server menu item. 

The Resources This Server Is Sharing With the Network dialog box appears. 
This dialog box shows all resources currently being shared from your server. 

2 . Choose the Add share command button. 

The What would you like to share? dialog box appears. 

3 . Select the Disk directory option button. 

4 . Choose the OK command button. 

The Share a Disk Resource With the Network dialog box appears. 
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5 . Complete the text boxes in the Share a Disk Resource With the Network 
dialog box as shown in Table 4-1. 



Table 4-1 . Share a Disk Resource With the Network Dialog Box 



Text box 


What to Do 


Sharename 


Specify the sharename you want the new shared directory 
to have. 


Path 


Specify the drive letter and path of the directory you are 
snaring. 


Remark 


Type a descriptive comment for the directory. 


Max. users 


Specify the maximum number of users able to access the 
directory at one time (you can also mark the No limit check 
box.) 


Password 


If you are running the server with share-level security, you 
can type a password for the shared directory in this text box. 



6 . If you are running the server with share-level security, move to the 
Permissions check boxes. 

Use these boxes to assign access permission for the directory. Press [Space 
bar] to place an X in an empty check box or to remove an X from a marked 
check box. 

7 . Choose the OK command button. 

8 . If you are running the server with user-level security, the Edit File 
Permissions dialog box appears. 

Use this dialog box to specify which users and groups can use the new shared 
directory and what kind of permissions they are to have. See Chapter 8: 
Managing User-Level Security for information on how to actually assign 
permissions for a shared directory. 
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Example 

The head of MacroCorp's Public Relations department has asked Mary Sullivan to 
create a shared directory for the Public Relations staff. Since Public Relations is a 
fairly security-minded department, Mary decides to create and share the directory on 
mis, a server running user-level security. This will allow the Public Relations 
people to assign different permissions for different users of the shared directory. 

Mary's first step is to use the MS OS/2 MKDIR command to create a Pubrel 
directory on the mis server. Next she must share this directory. To do this, she 
starts the administrator's version of the LAN Manager screen, selects the View 
menu, and chooses the This server menu item In the Resources This Server Is 
Sharing With the Network dialog box, Mary chooses the Add share command 
button. Then, in the What would you like to share? dialog box, she selects the Disk 
directory option button. 

In the Share a Disk Resource With the Network dialog box, Mary starts filling in 
the text boxes. First she shares the Pubrel directory as pubrel. This means that 
members of the Public Relations staff will be able to connect to their shared 
directory by specifying the pathname ^mis\pubrel. Mary types c :\pubrel in the 
Pathname text box to tell LAN Manager where to find the directory on the server's 
hard drive. In the Remark text box she just types Public Relations. Since mis is 
running user-level security, there's no need to specify a password. Finally, in the 
last text box Mary sets the maximum number of users at 20 (there are 15 people in 
the Public Relations department right now, so 20 gives them a little flexibility.) 

When Mary chooses the OK command button, the Edit File Permissions dialog box 
appears on her screen. To find out how Mary assigns permissions for the Pubrel 
directory, see Chapter 8: Managing User-Level Security. 
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Using NET SHARE to Share Directories 

To share directories from the OS/2 prompt, use the NET SHARE command with 
the following options: 



^HET SHARK ^— sharename=drive : \path 



password \^ ^'^/permissions: permissions. 



/users: /lumber 



/unlimited 



/remark: text 




Figure 4-1. NET SHARE Options 

sharename is the sharename you are assigning to the directory. 

drive^Spath specifies the location of the directory on the server. 

password specifies the password users must type to use this resource. Specify a 
password only if your server is running share-level security. 

/permissions '.permissions assigns share-level permissions for the disk resource. 

/uscTs:nwnber specifies the maximum number of users that are to be able to access 
this resource at the same time. 

/unlimited specifies that there is to be no limit on the number of users accessing this 
resource. 



/remark:/ejtf is a descriptive remark for the resource. 



NOTE: For instructions on how to use the command flow diagram chart, refer to 
Appendix C. For more information about the NET SHARE command, see the 
3+Open MS OS/2 LAN Manager Administrator Reference. 
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Stop Sharing a Directory 

You may occasionally need to stop sharing a directory when it is no longer being 
used and you want to delete it or when a project requiring the use of shared files is 
completed. Whatever the reason, you can use the LAN Manager screen to stop 
sharing a directory with local area network users. 

To stop sharing a directory, follow these steps: 

1 . Select the View menu and choose the This server menu item. 

2 . From the Resources This Server Is Sharing With the Network dialog box, 
select the sharename of the directory you want to stop sharing. 

3 . Choose the Delete command button. 

The Stop Sharing a Network Resource dialog box appears, asking you to 
confirm your decision to stop sharing the resource. 

4 . Choose the OK command button. 



The directory promptly disappears from the server's list of shared resources. 
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Example 

Mary Sullivan has been sharing a directory on the mis server with a number of 
MacroCorp's top executives. This directory, which Mary has assigned the 
sharename/iisaz/, contains highly sensitive financial data. The President decides 
that this information should be moved to the senior accountant's netstation, since 
the accountant is now the only one who still needs to use these files. 

Before removing the directory from mis, Mary must stop sharing it. To do this, 
Mary selects the View menu and chooses the This server menu item. She selects 
fiscal from the list box. In the Resources This Server Is Sharing With the Network 
dialog box, Mary chooses the Delete command button. When the Stop Sharing a 
Network Resource dialog box appears, she checks to make sure she is deleting the 
right directory from the list before choosing the OK command button to stop 
sharing the directory. 



Using NET SHARE to Stop Sharing Directories 

To stop sharing a directory from the OS/2 prompt, use the NET SHARE command 
with the following options: 

net share drive:\path /delete 

drive->path specifies the directory you want to stop sharing, 
/delete tells LAN Manager to stop sharing the directory. 
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Chapter 5: Managing Shared Printers 

As the local area network administrator, you must decide which printers to share 
with the local area network users and how to share them. When you share printers, 
you must set up printer queues and determine whether or not to create printer pools. 

In this chapter, you will learn how to: 

• Share individual printers or pools of printers. 

• Create printer queues. 

• List the print requests contained in a printer queue. 

• Reorganize the print requests within a printer queue. 

• Change the options for a printer queue. 

• Hold and restart a printer queue. 

• Stop sharing printer queues. 
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Sharing Spooled Printers 

LAN Manager recognizes three types of devices: disk devices, communication 
devices, and spooled printers. Spooled printers are printers that work with a LAN 
Manager program known as the spooler. Other printers must be shared as 
communication devices, which are covered in Chapter 6. 

The 3+Open Postscript Despooler server, which works in conjunction with the 
LAN Manager spooler software, allows network users to select which files to print 
and which network printers to use. It also allows administrators to manage the 
printer queue and troubleshoot printer problems. 

A spooled printer can be connected to any of a computer's parallel (LPT) or serial 
(COM) ports. 



NOTE: The Spooler service must be running on your server to enable users to 
access the server's spooled printers across the local area network. The 3+Open 
LAN Manager Installation and Setup Guide describes how to install the PostScript 
despooler. 



Printers that are not spooled must be shared as communication devices. See 
Chapter 6: Managing Shared Communication Devices for information on how to 
share communication devices. 



How Shared Printers Work 

When users send documents over the local area network to a spooled printer, they 
are actually sending the documents to a spooled printer queue, where the documents 
are held as print requests and assigned job numbers. 



If there is more than one print request in the queue, the queue holds the requests, 
passing them on to the spooler in the same order as it receives them. 
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3+Open LAN Manager comes with a print processor which supports PostScript 
printers. For more information refer to the 3+Open LAN Manager Installation and 
Setup Guide. 

You can have the spooler run a special print processing program on print requests 
in a particular printer queue. For example, a certain printer queue could be set up 
for print requests that contained special formatting characters. The spooler would 
run a program to translate these characters for the printer before sending a request 
on to the printer. 

The spooler passes the print requests on to the printer, which prints the document. 



Automatic Print Notification 

LAN Manager automatically sends messages to users as soon as the document is 
done printing: 

From: SERVER at \\PRINT1 
To : BENP 

Subj: ** PRINTING NOTIFICATION ** 
Date: May 25, 1988 at 12:23:33 

Print job 3325 has finished printing on LPT1. 
Job was queued to P00L1 on May 25, 1988 at 
12:07:21. Size of job is 24,431 bytes. 

LAN Manager also notifies users if there are problems with print requests, such as 
when a printer runs out of paper, or when the status of a print request changes (for 
instance, if an administrator pauses the queue). 
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Setting Up Printer Queue Options 

LAN Manager allows you either to create a simple printer queue that serves one 
printer or to create more sophisticated printer queues. There are several options to 
consider when setting up printer queues: 

• Which printers should receive documents from a queue. 

• What priority level you want to assign to a queue. 

• Whether you want to use a print processor program to process documents sent 
to a queue. 

• Whether you want a separator page to be printed between documents for a 
queue, and if so, what its appearance will be. 

When you define a queue, LAN Manager keeps a record of the options you have 
chosen for it in the LanmanNSpool directory. 

You can also specify another spool directory by changing the spooldir= entry of 
your LANMAN.INI file. The spooldir= entry should be in the following form: 

spooldir= [drive :\] path 

drive'^path identifies the spool directory you've created. 

For complete information on the LANMAN.INI file, refer to the 3 +Open Network 
System Guide. 

LAN Manager creates a separate subdirectory in the Spool directory for each queue 
that you create. 

The next several sections describe the various options associated with spooled 
printer queues. 
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Configuring Printer Queues 

There are a number of ways you can configure printer queues. In order of 
increasing complexity, you can connect: 

• One printer queue to one printer. 

• Two or more printer queues with different options to the same printer. 

• One or more printer queues to a pool of two or more printers. 

The simplest queue to create is one that sends requests to a single printer not served 
by any other queue. To create such a queue, you must specify: 

• A sharename for the queue. 

• The server device name for the printer. 

For example, the following command creates a printer queue called print that routes 
documents to the printer connected to the server's COM1 port: 

net share print=coml 



Creating a Pool of Printers 

When you connect a printer queue to two or more printers of the same kind, you are 
creating a pool of printers. With this option, LAN Manager searches for an 
available printer so that network users don't have to. LAN Manager routes 
documents from a printer queue to the first available printer in a pool of printers. 



The Alerter service then sends messages to users telling them where their 
documents have been printed. 
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To create a printer queue that sends requests to two or more printers, you must 
define: 

• The sharename of the queue. 

• The device names for all printers in the pool. 

For example, the following command creates a printer queue called draft that routes 
documents to printers connected to the server's LPT1: and LPT2: ports: 

net share draf t=lptl ; lpt2 



Using NET SHARE to Route Printer Queue Requests 

LAN Manager also allows you to route a queue's requests to connect to two or 
more servers. To include a network printer as part of a spooled printer queue for 
your server, follow these steps: 

1 . From the network server, share the network printer as part of a (nonspooled) 
communication device queue. (For example, use a command of the following 
form: 

net share sh a ren amende vicen a/ne/coxnm 

2 . From the local server, redirect a device name to the network shared 
communication device queue. Use a command of the following form: 

net use devicename \\computername\ sharename 

3 . Create a spooled printer queue at the local server. Use a command of the 
following form: 

net share sharename /print 
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4 . Redirect output for the new spooled printer queue at the local server to the 

network printer that is shared as part of a communication device queue. Use a 
command of the following form: 

net print sharename /route : devi cename 



Printer Queue Options 

If you decide to assign two or more spooled printer queues having different options 
to the same printer or pool of printers, you may want to vary the following printer 
queue options: 

• The users or groups who can use the various queues. 

• The priority levels of the queues. 

• The times at which the different queues can send requests to printers. 

These printer queue options are described in the following sections. 

You can specify the users or groups who can use a queue either by editing the file 
permissions (on a server running with user level security) or by controlling the 
resource's password (on a share level server). See Chapter 8: Managing User 
Level Security, and Chapter 9: Managing Share Level Security for more about 
restricting access to a resource. 



The Queue Priority Option 

Administrators can assign priority levels to spooled printer queues. If you find that 
certain print requests are more time-critical than others, you can create two printer 
queues for the same printer or printer pool. For example, you could create one 
queue high with a priority of 1 and another queue average with a priority of 5. 
Requests in the high queue would be printed before requests in the average queue. 
Then you can give access permissions for average to all users, and access to high 
only to users who need to print time-critical documents. 
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You can use the NET PRINT command to assign a priority level to an existing 
spooled printer queue. 

The highest priority is 1, the lowest is 9, and the default is 5. 
For example, to assign a priority of 1 to the high queue, type: 
net print high /priority:! 



The Scheduling Option 

The scheduling option specifies the times at which a queue can send requests to the 
printers. Users can submit documents to the queue at any time, but the queue holds 
all requests until its designated start-printing time. 

You can use the NET PRINT command to define a print schedule for an existing 
spooled printer queue. For example, to specify that documents in the latenite queue 
should print between 8 p.m. and 11 p.m., type: 

net print latenite /after : 8 : 00pm /until : 11 : 0 0pm 



The Print Processor Option and Parameters 

Certain programs, such as page-design programs, create document files containing 
special characters that must be translated before printing. A print processor 
program translates these characters into something that the printer can recognize and 
print. 

You can set up a printer queue to run a print processor on all documents before 
sending them to the printer. 

You can create two printer queues to allow users creating documents from various 
programs (some needing a particular print processor and some not) to use the same 
printer or pool of printers. 
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You can use the NET PRINT command to define a print processor program to run 
on all documents for an existing spooled printer queue. For example, to specify 
that a print processor called POSTSCRP.EXE run on all documents sent to the docs 
queue, type: 

net print docs /processor : c : \spool\lanman\postscrp . exe 



The Separator Page Option 

You can choose to define and use a page to separate print documents sent by a 
given queue to the printer. Separator pages make it easier for you to see where one 
printed document ends and another begins. They typically include such information 
as the name of the person who printed the document and/or the name of the 
document. As an administrator, you can specify the contents of the separator pages 
for your printer queues. 

You can define a separator page by creating a file of escape-character codes that 
define the contents of that page. You should follow the guidelines. 



Separator Page Guidelines 

• To readily identify the file as a separator page definition file, use the filename 
extension .SEP. 

• Determine the escape character to use in the file. (The @ character is used in the 
list of escape codes that follows.) You define an escape character by typing it 
alone on the first line of your separator page definition file. 

• Only use spaces as part of a string of text; do not use spaces between escape 
characters. 
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Table 5-1 lists the escape codes and their functions. (Although you may specify 
any character as the escape character, the @ character is used in this list): 

Table 5-1, Separator Page Escape Codes 



Escape Code 


Function 


@Uext 


Prints the specified text. 


<5)D 


Prints the date the spool file was created. 


@T 


Prints the time the spool file was created. 


@N 


Prints the sharename of the printer queue or the user name and 
computer name of the document's originator. 


(tt>l 


rnnts ine oocumeni s jod numoer. 


(a)llnn 


Sets the printer-specific control sequence: nn is a hexadecimal 
number which is sent directiy to the printer. See your printer 
manual for these numbers. 


@Wm 


Sets the separator page width (in characters). 


@n 


Skips n number of lines. Range 0-9. 


<S)B 


Creates block characters. 


@S 


Creates single- width block characters. Use after the @B code. 


<5)M 


Creates double-width block characters. Use after the @B code. 


@U 


Turns off block-character printing. 


@E 


Ejects a page from the printer. Use this when you want to start 
a new page or when you have finished creating your banner 
page file. 
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Sample Separator Page 

If no pathname is given and a DEFAULT.SEP file is not in the printer spool 
directory, LAN Manager automatically uses the following separator page: 

@ 

@B@S@N@4 
@B@S@I@4 
@D@Lbbbb@T@0 
@E 

This default separator page definition file: 

• Prints the sharename of the printer queue, or the user name and computer name 
of the document's originator in block characters, then skips four blank lines. 

• Prints the job number of the document in block letters and then skips four more 
lines. 

• Prints the date (followed by four spaces) and the time. 

• Ejects the printed separator page. 



Creating and Sharing Printer Queues 

Once you have decided how to set up your shared printers, you are ready to create a 
shared printer queue. To share a printer with local area network users: 

1 . Select the View menu and choose the This server menu item. 

The Resources This Server Is Sharing With the Network dialog box appears. 

2 . Choose the Add share command button. 

The What would you like to share? dialog box appears. 
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3 . Select the Spooled printer option button and choose the OK command button. 
The Share a Print Queue With the Network dialog box appears. 

4 . Complete the text boxes according to the instructions in Table 5-2. 



Table 5-2. Print Queue Dialog Box Options 



Text box 


What to Do 


Sharename 


Specify the sharename you want the new shared printer queue 
to have. 


Remark 


Type a descriptive comment for the printer queue. 


Max. users 


Specify the maximum number of users that are to be able to 
use this queue at any one time (you can also mark the No limit 
check box.) 


Password 


If you are running the server with share-level security, you can 
type a password for the printer queue in this text box. 



5 . Choose the OK command button. 

If the printer queue does not already exist, a message box displays this 
message: 

The specified printer queue does not exist . 
Click <OK> to create the queue <sharename>. 



NOTE: The sharename of the queue you are creating is displayed in the place of 
sharename. 



6 . Choose the OK command button to create the printer queue. 

The Printing Options for Queue dialog box appears. 
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7 . Complete the text boxes according to the instructions in Table 5-3. 



Table 5-3. Print Options for Queue Dialog Box Options 



Text box 


What to Do 


Priority 


Set the priority for this queue. 1 is the highest, 9 is the 
lowest, and 5 the default. 


Device Name 


Specify the device name(s) to which the printer or 
printers for this printer queue are connected on the 
server. 


Separator file 


Specify the pathname of the separator file you want to 
use with this queue, if any. 


Print after 


Specify the time at which the printer queue can start 
sending requests to the printer(s). Use 24-hour format 
(00:00—23:59). 


Print until 


Specify the time after which the printer queue can no 
longer send requests to the printer (s). Use 24-hour 
format (00:00—23:59). 


Print processor 


Specify the name of the print processor to be used 
with this queue, if any. 


Parameters 


Specify any parameters that are required by the print 
processor program. 


Remark 


Type a descriptive comment for the printer queue. 



8 . Choose the OK command button. 

9 . If you are running the server with user-level security, the Add Permissions 
dialog box appears. 

Use this dialog box to identify which users and groups can use this queue. 
See Chapter 8: Managing User-Level Security for information about how to 
assign access permissions for printer queues. 
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Example 

Mary Sullivan is setting up two printers to be shared by the printl server. She 
decides to create a single printer queue for the two printers. To do this, Mary 
selects the View menu and chooses the This server menu item. Then she chooses 
the Add share command button. In the What would you like to share? dialog box 
Mary selects the Spooled printer option button and chooses the OK command 
button. In the Share a Spooled Printer Queue dialog box she types the sharename 
of the queue she wants to create (pooll) and then a description of the queue. 
Because the printl server runs share-level security, Mary also types in a password 
for the printer queue before selecting the OK command button. 

The Printing Options for Queue dialog box appears next. In this dialog box, Mary 
types the device names for both printers in the Devicename text box: 

lpti ; Ipt2 

Mary also types in the name of the separator file that is to print between each 
document, and a remark that she will see if she decides to change the print options 
later. When she chooses the OK command button, the new pooll queue appears in 
the list of shared resources for the printl server. 



Using NET SHARE to Share Printer Queues 

You can also share a printer queue from the OS/2 prompt. To share a printer 
queue, use the NET SHARE command with the following options: 



Qna SHARK ^ ^^^y jsAarename-ctevicename J ^ f \ ^~ f 

C M a J V ^p^iiit^ X^ V| pas sword 



^^/permissions ipermjss^onS**^^ 



/remark : text 



/users: number 



/remark : text 



Figure 5-1 . NET SHARE Command 
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sharename is the sharename you are assigning to the printer queue. 

devicename specifies the printer to which this printer queue is to route documents. 
(Separate two or more device names with commas or semicolons.) 

/print identifies the shared resource as a printer queue. (This is a default.) 

password is the password you are assigning to this resource (for share-level- 
security servers only). 

/users:?* specifies the maximum number of users (n) that are to be able to use this 
printer queue at the same time. 

/unlimited specifies that there is no limit on the number of users who can access this 
resource at the same time. 

/remark: text provides a descriptive remark for the printer queue. Remember to 
enclose the comment in quotation marks. 



NOTE: For instructions on how to use the command flow diagram chart, refer to 
Appendix C. For more information about the NET SHARE command, see the 
3+Open MS OS/2 LAN Manager Administrator Reference. 



Listing and Controlling Print Requests 

Listing the print requests for each printer queue shared by a server lets you monitor 
the status of each print request. You can also do the following: 

• Delete requests. 

• Change the position of a request in a printer queue. 

• Restart a document that was interrupted while printing. 
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• Hold a request in a printer queue so that it does not print. 

• Release a held request so that it can be printed. 

To select any of these request options, follow these steps: 

1 . Select the View menu and choose the Print queues menu item. 
The Show Print Queues For dialog box appears 

2 . Identify the printer queue or queues you want to examine by doing one of the 
following: 

• Type the name of the server sharing the queue in the server text box, OR 

• Select the server from the Server list box, OR 

• Select the local device name that is connected to the queue from the 
Redirected device list box. 

3 . Choose the Zoom command button. 

The Print Queues for (Server) dialog box appears. 

The list box in this dialog box shows the sharename and status for each 
printer queue shared from the server. It also shares the requests in the 
individual queues. 

4 . Select the print request you want to delete, move, or restart. 
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5 . Choose the appropriate command button from the list in Table 5-4. 



Table 5-4. Print Request Command Buttons 



Command button 


Function 


Hold 


Holds a document in the queue without printing it. 


Release 


Releases a held print request so the document can be 
printed. 


Restart 


Restarts a print request that has stopped because of a 
printer error or for some other reason. The document 
is reprinted from the beginning. 


Zoom 


Lets you see specific information about the request and 
change the request's location in the queue. 


Delete 


Removes a print request from the queue. 



Example 

Mary Sullivan hears that there's something wrong with the pooll printer queue on 
the printl server. On her server (mis), Mary selects the View menu and chooses 
the Print queues menu item. She selects the printl server from the Show Print 
Queues for dialog box and chooses the Zoom command button. 

The Print Queues for (Server) dialog box appears, showing Mary that both printers 
are out of paper and that several documents are waiting in the queue. Mary walks 
to the printer room and tends to the printers. (She also starts the Alerter service to 
make sure users get No paper messages in the future.) When she returns to her 
office, she sends mail to the users who had jobs waiting to let them know the 
printers are now working. 
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Using NET PRINT to Check Printer Queues 

To list the contents of a shared printer queue from the OS/2 prompt, use the NET 
PRINT command with the following option: 

net print [sharename] 

sharename is the printer queue. 

If you type the NET PRINT command by itself, LAN Manager lists the contents 
and status of each printer queue for the server. 

To list the contents of one or more printer queues at a network server, use the NET 
PRINT command with the following options: 

net print Wcomputername [sharename] 

computernome is the name of the network server. 
sharenome is the name of the shared printer queue. 



Using NET DEVICE to Manage Printers 

To list the status of a particular printer, use the NET DEVICE command with the 
following option: 

net device [devicename] 

devicename specifies the printer. 

If you type the NET DEVICE command by itself, LAN Manager reports the status 
of all print and communication devices shared by the local server. 
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To restart printing of a document at a specific printer, use the NET DEVICE 
command with the following options: 

net device devicename /restart 

devicename specifies the printer. 

To delete the document currently being printed by a particular printer, use the NET 
DEVICE command with the following options: 

net device devicename /delete 

devicename specifies the printer. 

/delete tells LAN Manager to delete the document. 

Changing Printer Queue Status 

Just as you can change the status of print requests in a printer queue, you can 
change the status of the queue itself. Specifically, you can change the following: 

• Hold a printer queue so that all documents after the one currently being printed 
are held. 

• Release a printer queue from the held state. 

• Delete a printer queue. 

• Purge a printer queue of all print requests. 

To change the status of a printer queue, follow these steps: 
1 . Select the View menu and choose the Print queues menu item. 
The Show Print Queues For dialog box appears. 
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2 . Identify the printer queue or queues you want to examine by doing one of the 
following: 

• Type the name of the server sharing the queue in the Server text box, OR 

• Select the server from the Visible servers list box, or 

• Select the local device name that is connected to the queue from the 
Redirected devices list box. 

3 . Choose the Zoom command button. 

The Print Queues for (Server) dialog box appears. 

4 . Select the sharename of the printer queue you want to hold, release, delete, or 
purge. 

5 . Choose the appropriate command button listed in Table 5-5. 



Table 5-5. Print Queues For Server Dialog Box Command Buttons 



Command button 


Function 


Hold 


Holds all print requests (except the one that is currently 
being printed) in the queue. 


Release 


Reactivates a held printer queue. 


Zoom 


Displays the Printing Options for Queue dialog box. 
See the following section, Changing Printer Queue 
Options. 


Delete 


Deletes a printer queue once it is empty. 


Purge 


Removes all print requests from the printer queue 
without deleting the queue itself. 
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Example 

Mike Greenbaum needs to print a huge report. He needs to use a printer on the 
print! server that's shared as lineprt. He decides that the easiest thing for him to do 
is to hold the queue and then just use the printer directly from print2. Mike sends 
mail saying he will be tying up the lineprinter connected to LPT3: (served by 
lineprt) on the print2 server from 2:00 to 4:00 p.m. 

At 2 o'clock, Mike selects the View menu and chooses the Print Queues menu item. 
In the Vprw*2 from the Show Print Queues for dialog box he selects the print! 
server. Finally, in the Show Print Queues for\\PRINT2 dialog box he selects the 
lineprt printer queue and chooses the Hold command button. 

When Mike's finished using the printer, he releases the printer queue by selecting 
lineprt and choosing the Release command button in the Show Print Queues for 
WPRINT2 dialog box. 



Holding Shared Printers Using the NET PRINT Command 

To hold a shared printer queue, use the NET PRINT command with the following 
options: 

net print sharename /hold 

sharenome specifies the printer queue you want to pause, 
/hold tells LAN Manager to hold all print requests. 

To release a held printer queue, use the NET PRINT command with the following 
options: 

net print sharename /release 

sharename specifies the printer queue you want to release, 
/release tells LAN Manager to release the printer queue. 
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Changing Printer Queue Options 

LAN Manager allows you to change the characteristics of an existing printer queue. 
For example, you may want to add another printer to the queue, revise the queue's 
description, or change some other option. 

To change the printer queue options for a printer queue, follow these steps: 

1 . Select the View menu and choose the Print queues menu item. 

The Show Print Queues For dialog box appears. 

2 . Identify the printer queue or queues you want to examine by doing one of the 
following: 

• Type the name of the server sharing the queue in the Server text box, OR 

• Select the server from the Visible servers list box, or 

• Select the local device name that is connected to the queue from the 
Redirected devices list box. 

3 . Choose the Zoom command button. 

The Printer Queues for (Server) dialog box appears. 

4 . Select the sharename of the printer queue you want to change. 

5 . Choose the Zoom command button. 

The Printing Options for Queue dialog box appears, showing the current 
options for this printer queue. 
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6 . Use the instructions in Table 5-6 to change the options for the selected 
queues. 



Table 5-6. Print Options for Queue Dialog Box Text Boxes 



Text box 


What you can do 


Priority 


Change the priority level for requests in this queue. 1 is 
the hiphest* v is the lowest 


Device Name 


Add, delete, or change the server device names that are 
connected to this queue. If the queue routes documents 

\c\ q tv"mi1 r\f rvrintPTSJ spnnTQtf 1 tVif* Hfvipf* miTTif^c with 

LVJ CL U\J\Jl \JL Ullllldo, otUaluK/ Lilt; Ut'VlV.-V llCtlllVd Willi 

semicolons, commas, or spaces. For example: 

lpt2 ; lpt3 


Separator file 


Change the filename of the separator file that you want 
to print between requests in this printer queue. 


Print after 


Change the time at which the queue can start sending 
requests to the printer(s). Use 24-hour notation 
(00:00—23:59). 


Print until 


Change the time after which the queue can no longer 
send requests to the printer(s). Use 24-hour notation 
(00:00—23:59). 


Print processor 


Change the drive letter, path and filename of the print 
processor that is run by the spooler on requests in this 
queue. 


Parameters 


Change the parameters for the print processor. 


Remark 


Change the remark for the queue. 



7 . Choose the OK command button. 
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Example 

Mary Sullivan has created a new separator file to use with the pooll printer queue. 
To add the name of the new separator file to the printer queue options, Mary selects 
the View menu and chooses the Print queues menu item. In the Show Print Queues 
for dialog box she selects the printl server and chooses the Zoom command button. 
In the Printer Queues for\NPRINTl dialog box she selects pooll and chooses the 
Zoom command button. When the Printing Options for Queue dialog box appears, 
she moves to the Separator file text box, types the name of the new separator file, 
and chooses the OK command button. The next time someone prints a document 
using the pooll queue, the new separator page is automatically printed after the 
document. 
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Using NET PRINT to Change Printer Queue Options 

To change the options for an existing spooled printer queue from the OS/2 prompt, 
use the NET PRINT command with the following options: 



C 



NET PRINT 



r 



sharename 



sharename 



/priority : number W 



^-^^ /route '.device name ■ ^ ^ 



/afteritime 



^•^^ /until :time >» 
/separator : pathname 



/proce ssor : pa thnames^ - 



/parras : 



^•^1 /parms : keyword=value [ ; . . . f 



I remark: text 



/hold 
^-^/release*^ 



/delete^^- 



/purge 



/options^^- 

Figure 5-2. NET PRINT Command 
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sharename is the printer queue that you want to change. 

/priorityinumber sets the priority for the queue (the highest is 1, the lowest is 9, and 
the default is 5). 

/route:devicename specifies which printer or printers can receive documents from 
this queue. 

/aftentime specifies the time at which this printer queue can begin sending 
documents to the printer(s). 

/untilitime specifies the time after which the queue can no longer send documents to 
the printer(s). 

/separatonpathname identifies the filename of a separator page to print between 
documents in the queue. Unless you provide another path, LAN Manager assumes 
this file is in the LanmanNSpool directory. 

/processor.pathname specifies the print processor to be used on document files sent 
to this queue. 

/parametersikeyword specifies parameters for the print processor program. Valid 
keywords are defined by the print processor program you are using. 

/remark: text allows you to provide a descriptive comment for the spooled printer 
queue. Remember to enclose your remark in quotation marks. 



NOTE: For instructions on how to read the command flow diagram chart refer to 
Appendix C. 
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Making Shared Printer Queues Unavailable 

You may want to stop sharing a printer queue at some point. It could be that you 
are reorganizing your printer queues, removing a printer, or users no longer need a 
particular printer queue. Whatever the reason, to stop sharing a printer, follow 
these steps: 

1 . Select the View menu and choose the This server menu item 

2 . Li the Resources This Server Is Sharing With the Network dialog box, select 
the name of the printer you want to stop sharing and choose the Delete 
command button. 

The Stop Sharing a Network Resource dialog box appears, asking you to 
confirm your decision to stop sharing the printer. 

3. Choose the OK command button. 
Example 

Ben Preston tells Mary Sullivan that it's OK to share his department's new printer 
with the local area network until a new administrative assistant can be hired. When 
Ben hires his new assistant, he tells Mary that he needs his printer back. To stop 
sharing the printer, Mary selects the View menu and chooses the This server menu 
item. In the Resources This Server Is Sharing With the Network dialog box, she 
selects the name of the printer queue connected to the borrowed printer, then 
chooses the Delete command button to stop sharing the spooled printer queue. 
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Using NET SHARE to Stop Sharing a Print Queue 

To stop sharing a printer queue, use the NET SHARE command with the following 
options: 

net share sharename /delete 

shorename is the printer queue you want to stop sharing, 
/delete tells LAN Manager to stop sharing the printer queue. 



Using NET PRINT to Delete a Print Queue 

To delete the printer queue (that is, to remove the record defining the printer queue 
from the server so that it cannot be reshared later), use the NET PRINT command 
with the following options: 

net print sharename /delete 

sharename is the name of the printer queue you want to delete, 
/delete tells LAN Manager to delete the printer queue. 
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Chapter 6: Managing Shared 
Communication Devices 

LAN Manager allows users to connect to shared communication devices such as 
modems, scanners, and PostScript printers. Communication devices are 
nonspooled devices connected to a computer's serial (COM) or parallel (LPT) 
ports. 

Administrators are responsible for setting up communication device queues and 
pools, and for sharing these queues with local area network users. 

In this chapter, you will learn how to: 

• Share individual communication devices and pools of devices. 

• Check or modify the status of requests in a communication device queue. 

• List the contents of a communication device queue. 

• Change the options for a communication device queue. 

• How to stop sharing communication device queues. 
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Setting Up Communication Device Queues 

When you share a communication device, you are actually sharing a communication 
device queue. You can share either a single communication device or a pool of 
similar communication devices under the same sharename. 

When a user uses a communication device queue connected to a single 
communication device such as a modem, only one user at a time can access that 
device. Other users will find the device busy and must either connect to another 
communication device queue or wait for the first one to become available. When a 
user uses a communication device queue that shares a pool of similar 
communication devices, LAN Manager does most of the work for the user by 
finding the available communication device in the pool — if there is one — and 
automatically sending the user's request to that device. 

To allow administrators greater flexibility in controlling device access and priority, 
LAN Manager is designed to permit more than one queue to send requests to a 
single device or device pool. Administrators can then assign different priority 
levels to different queues connected to the same device or device pool. 

For example, as administrator, you might create two communication device queues 
for a modem — one with low priority and one with high priority. When both queues 
try to send requests to the modem at the same time, the request with the high 
priority would always be processed first. 
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Deciding Which Devices to Share 

LAN Manager allows you to share virtually any communication device with the 
local area network. There are several types of communication devices: serial 
printers, image scanners, modems, mice, light pens, joysticks, etc. 

Generally you would only share devices that a user does not have to see to use. 
(These would include devices like modems, serial printers, mice, light pens, image 
scanners, and joysticks.) However, it is up to you to determine which 
communication devices should be shared for your environment. 



Sharing a Communication Device Queue 

To give local area network users access to a communication device attached to a 
server, you must first create and share a queue for that device. 

1 . Select the View menu and choose the This server menu item. 

The Resources This Server Is Sharing With the Network dialog box appears. 

2 . Choose the Add share command button. 

The What would you like to share? dialog box appears. 

3 . Select the Comm queue option button and choose the OK command button. 

The Share a Device Resource With the Network dialog box appears. 
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4 . Complete the text boxes according to the instructions in Table 6-1. 



Table 6-1. Comm Device Dialog Box Text Boxes 



Text box 


What to do 


Sharename 


Specify the sharename you want the new shared 
communication device to have. 


Devicename 


Specify the device name(s) of the communication device(s). 

If you want to create a pool of shared modems, include the 
device names for all devices to be included in the pool. Be 
sure to use semicolons (;), commas (,), or spaces to separate 
the device names. 


Remark 


Type a descriptive comment about the comm device queue. 


Max. users 


Specify the maximum number of users that may access this 
queue at one time (you can also mark the No limit check 
box.) 


Priority 


Set the priority level for this queue. 1 is the highest; 9 the 
lowest; and 5 the default. 


Password 


If you are running this server with share-level security, you 
can type a password for the communication device queue in 
this text box. 



5 . Choose the OK command button. 

If you are running the server with user-level security, the Add Permissions 
dialog box appears. (Or, if you have shared a communication device queue 
with this sharename before and an access record already exists for the queue, 
the Change Permissions dialog box appears.) Use this dialog box to identify 
which users and groups may have access to this queue. 

See Chapter 8: Managing User-Level Security for information on assigning access 
permissions and for instructions on how to complete the Change Permissions 
dialog box. 
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Example 

Mary Sullivan is adding a modem to the local area network. She decides to share 
the new modem from the mis server (a server running with user-level security) as 
modem. To do this, Mary selects the View menu and chooses the This server menu 
item. From the Resources This Server Is Sharing With the Network dialog box, 
she chooses the Add share command button. Then, in the What do you want to 
share? dialog box, she selects the Comm device option button and chooses the OK 
command button. In the Share a Device Resource With the Network dialog box, 
Mary types the sharename of the queue {modem), the device name of the modem 
(COM2), and a remark for the queue: 2400-baud dial-out modem. Mary doesn't 
need to complete any of the other text boxes, so she chooses the OK command 
button. 

Because the mis server is a user-level-security server, the Add Permissions dialog 
box appears next. Mary uses this dialog box to give various users access to the 
new queue. When she chooses the OK command button, the modem queue is 
added to the list of shared resources for mis. 



Using NET SHARE to Share a Comm Device 

To share a communication device queue, use the NET SHARE command with the 
following options: 

—i 



^NET SHARK ^sharename=devi cename | - — ^ f~ 

V^Vcor^^/ V | password ^ < ^ I pe rmlssl 



Ions : permissions 



/remark : text 



/users : /lumber 



/unlimited 



/remark : text 



Figure 6-1. NETSHARE Command 
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sharename is the sharename you are assigning to the communication device queue. 

devicename specifies the communication device(s) to which the queue is to route 
requests. 

/comm tells LAN Manager that the new shared resource is a communication device 
queue. 

password is the password that users must know to access this queue. (Use this 
option only if your server is running with share-level security.) 

/usersrn specifies the maximum number of users (n) that can use this 
communication device queue at the same time. 

/unlimited specifies that there is to be no limit on the number of users that can use 
this resource at the same time. 

/remark: "text" provides a descriptive remark for the communication device queue. 
Remember to enclose the remark in quotation marks. 



NOTE: For instructions on how to read the command flow diagram chart, refer to 
Appendix C. 



Checking a Queue's Status 

When you check the status of a communication device queue, LAN Manager shows 
you how many requests are currently in the queue, what the priority level of the 
queue is, and which devices are being served by the queue. When you check a 
queue's status, you can change its priority or change the server device names to 
which the queue routes requests. 
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1. 
2. 

3. 
4. 

5. 
6. 



ist the status of a particular communication device queue, follow these steps: 

Select the View menu and choose the Comm queues menu item. 

The Show Comm Queues For dialog box appears. 

Identify the communication device queue or queues you want to examine by 
doing one of the following: 

• Type the name of the server sharing the queue in the Server text box. 

• Select the server from the Visible servers list box. 

• Select the local device name that is connected to the queue from the 
Redirected devices list box. 

Choose the Zoom command button. 

The Comm Queues for (Server) dialog box appears, showing the 
communication device queues for the selected server. 

Select the name of the comm device queue you are interested in and choose 
the Zoom command button. 

The Options for Comm Queue dialog box appears, showing the current status 
of the queue. 

You can change the priority of the queue or change the device names of the 
communication devices served by this queue by changing the information in 
the appropriate text box. 

Choose the OK command button. 




Managing Shared 

Communication 

Devices 



6-8 



Example 

In the last example, Mary Sullivan shared a modem on the mis server by creating 
the modem communication device queue. Several people have complained to Mary 
that the modem is almost never free, and so Mary has decided to share a second 
modem from the server. To serve users as effectively and as fairly as possible, she 
decides to share both modems through the modem communication device queue. 

Mary selects the View menu and chooses the Comm queues menu item. In the 
Show Comm Queues For dialog box, she selects the mis server and chooses the 
Zoom command button. In the Comm Queues forWMIS dialog box, Mary selects 
the modem communication device queue and chooses the Zoom command button. 
The Options for Comm Queue dialog box appears next. Mary moves to the Devices 
text box and types the following: 

coml ; com2 

After Mary chooses the OK command button, LAN Manager revises the modem 
comm device queue to serve both modems in the pool. 



Using NET COMM to List Comm Devices 

To list the current status of communication device queues for the local server from 
the OS/2 prompt, use the NET COMM command with the following option: 

net comm [sharename] 

sharenome is the name of the communication device queue. 



NOTE: If you type NET COMM with no sharename, LAN Manager shows the 
status of all communication device queues for the server. 
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Using NET DEVICE to List a Particular Comm Device 

To list the status of a particular communication device, use the NET DEVICE 
command with the following option: 

net device [devicename] 

devicename specifies the communication device. 

If you type NET DEVICE with no device name, LAN Manager shows the status of 
all printers and communication devices shared by the server. 



Using NET COMM to Change Comm Device Queues 

You can also change the priority of a queue and/or device names to which the queue 
is routed by using the NET COMM command with the following options: 

net comm sharename [/priority :xi] [/route : devicename - ] 

sharenome is the communication device queue. 

/priority :n sets the priority (n) for the queue. 1 is highest and 9 is lowest, 
/routeidevicename identifies one or more devices to which the queue is to be routed. 
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Removing Requests from a Queue 

If something goes wrong with a communication device queue or the device to 
which it is routed, you may need to delete all requests from the queue. 

1 . Select the View menu and choose the Comm queues menu item. 

The Show Comm Queues For dialog box appears. 

2 . Identify the communication device queue or queues you want to examine by 
doing one of he following: 

• Type the name of the server sharing the queue in the Server text box. 

• Select the server from the Visible servers list box. 

• Select the local devicename that is connected to the queue from the 
Redirected devices list box. 

The Comm Queues for (Server) dialog box appears, showing the 
communication device queues shared by the selected server. 

3 . Select the sharename of the comm device queue you are interested in and 
choose the Purge all command button. 

A message box appears, asking you to confirm your decision to purge all 
requests from the queue. 

4 . Choose the OK command button. 
Example 

Jenny Tibbett has decided to try a new software package that is supposed to access 
a financial bulletin board. Because of a bug in the software, Jenny ends up trying 
to access the modem pool several times, and eventually ties up both modems. 
Jenny finally gives up and calls Mary to delete the erroneous requests from the 
communication device queue. 
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To purge the modem queue of all requests, Mary selects the View menu and 
chooses the Comm queues menu item. In the Show Comm Queues For dialog box, 
she selects the mis server and chooses the Zoom command button. In the Comm 
Queues forWMIS dialog box, she selects the modem queue and chooses the Purge 
all command button to purge all requests from the queue. 



Using NET COMM to Delete Comm Device Requests 

You can use LAN Manager commands to delete the active communication device 
request for a particular queue. To do this, type the NET COMM command with the 
following options: 

net comm sharename /purge 

sharenome specifies the communication device queue. 

To delete the active request at a specific communication device queue, use the NET 
DEVICE command with the following options: 

net device devicename /delete 

where devicename specifies the communication device where the request is 
running. 

/delete stops processing of the request and deletes it. 



Changing Comm Device Queue Options 

From the list of shared resources for a server, you can view the options for a 
particular communication device queue. You can also change the following: 

• The devices to which the queue is routed. 

• The description of the queue. 

• The maximum number of users that can access the queue at one time. 
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change the options for a comm device queue, follow these steps: 

Select the View menu and choose the This server menu item. 

The Resources This Server Is Sharing With the Network dialog box appears. 

Select the sharename of a comm device queue and choose the Zoom command 
button. 

The Shared Resource Information dialog box appears. This dialog box 
shows the options for the communication device queue. 

To change one or more of these options, follow the instructions in Table 6-2. 



Table 6-2. Shared Resource Information Dialog Box Text Boxes 



Text Box 


What You Can Do 


Devices 


Use this text box to change the device name(s) for 
the communication device(s) in this queue. If this is 
a device pool, separate the device names with 
semicolons. For example: 

com2 ; com3 


Remark 


Use this text box to change the remark for the 
communication device queue. 


Max. users 


Use this text box to change the maximum number of 
users that can access this queue at one time (you can 
also mark the No limit check box). 



4 . Choose the OK command button. 



To 
1. 

2. 
3. 
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Example 

A few weeks after adding the second modem to the modem queue, Mary finds that 
she needs to increase the maximum number of users that can access the queue at 
one time. To increase this number, Mary selects the View menu and chooses the 
This server menu item. In the Resources This Server Is Sharing With the Network 
dialog box, Mary selects the modem queue and chooses the Zoom command 
button. Then, in the Shared Resource Information dialog box, she moves to the 
Max. users text box, types in 10 to allow ten people to access the queue at one time, 
and chooses the OK command button. 



Using NET SHARE to Change Comm Device Queue Options 

To change the options for a communication device queue from the OS/2 prompt, 
use the NET SHARE command with the same options you would use to create a 
queue: 



^NST SHARE ^— sharename=drive : \path 



1 



password 



^-^^permissions : permissions^ 



/users : number 



/unlimited 



/remark : text 




Figure 6-2. NET SHARE Options 

sharename is the name of the queue. 

devicename specifies one or more communication devices to which the queue routes 
requests. 

/comm specifies that the resource is a communication device queue. 

password is the password that users must know to access this queue (you can use 
this option only with share-level- security servers). 
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/usersmumber specifies the maximum number of users (n) that can use this 
communication device queue at the same time. 

/unlimited specifies that there is to be no limit on the number of users that can 
access this resource at the same time. 

/remark: "text" is a descriptive remark for the communication device queue. 
(Remember to enclose the remark in quotation marks.) 



NOTE: For instructions on how to read the command flow diagram chart, refer to 
Appendix C. 



Making Comm Devices Unavailable 

You may want to stop sharing a communication device queue at some point. 
Perhaps the queue is no longer serving its intended purpose, or the communication 
device is to be removed from the local area network. Whatever the reason, to stop 
sharing a communication device, follow these steps: 

1 . Select the View menu and choose the This server menu item. 

The Resources This Server Is Sharing With the Network dialog box appears. 

2 . Select the sharename of the communication device queue you want to stop 
sharing. 

3 . Choose the Delete command button. 

The Stop Sharing a Network Resource dialog box appears, asking you to 
confirm your decision to remove the shared comm device queue. 

4 . Choose the OK command button to remove the queue. 
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Example 

Mary wants to move a shared modem from the printl server to the print! server. 
To do this, she must remove a communication device queue from the printl server. 
Mary selects the View menu and the This server menu item at the printl server. In 
the Resources This Server Is Sharing With the Network dialog box, Mary selects 
the sharename of the queue and chooses the Delete command button. The Stop 
Sharing a Network Resource dialog box appears, asking Mary to confirm her 
decision. Mary chooses the OK command button to remove the queue from the list 
of shared resources for printl. 



Using NET SHARE to Stop Sharing Comm Devices 

To stop sharing a communication device queue, use the NET SHARE command 
with the following options: 

net share sharename /delete 

sharename is the communication device queue, 
/delete tells LAN Manager to stop sharing the queue. 
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Chapter 7: Managing Shared Programs 

LAN Manager lets administrators share executable programs with the local area 
network. Users can run these programs in the server's memory while controlling 
input and output from their netstations. 

In this chapter you will learn how to: 

• Prepare your server to share programs. 

• Share a program. 

• Remove a shared program. 

For information about how to use shared programs, see the 3+ Open MS OS/2 LAN 
Manager User Guide. 
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Sharing Programs 

You can use LAN Manager to share executable programs on a server. You can also 
specify which individual users can or cannot use those programs. For example, 
you can allow a group of users to compile C programs on the server, using the 
server's memory and processing power, while allowing another group to look at C 
programs on the server and to copy them over to their netstations, but not to run 
them on the server. 

There are three ways local area network users can use programs that are on a server 
by: 

• By copying the program and then running it on the netstation. 

• By running the program in netstation memory without copying it to the 
netstation. 

• By running the program in the server's memory. This is a shared program. 

For example, when Jenny Tibbett wants to run a program called cal that prints 
calendar pages, and she knows that the CAL.EXE file is in the MisMVIisc shared 
directory, she types: 

net copy \\mis\misc\cal.exe c:\cal.exe c:\cal 

This runs the cal program in the memory of her netstation. (See the 3+Open MS 
OS/2 LAN Manager User Guide for a description of the NET COPY command.) 

For example, Jenny could simplify what she did in the last example by simply 
typing: 

\ \mis\misc\cal 

This runs the cal program in the memory of her netstation, even though the actual 
CAL.EXE file is on the mis server. 
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For example, when Mike Greenbaum wants to run a time-consuming program 
named sched.exe that formats schedules in a calendar form, he types: 

net use m: \\mis\misc 
m : 

net run sched jan feb mar apr may june 

The difference is that Jenny runs the program in her netstation's memory, causing a 
load on her netstation, while Mike runs the program in the server's memory, 
allowing the server to do the work. 

Sharing programs gives users the benefit of the superior resources of a server. 
Typically, servers are more powerful than netstations in terms of memory, disk 
space, and processing speed. By giving work to the server, users keep their 
netstations running as smoothly as possible. 

Some programs can only be run on computers with a large amount of memory or 
disk space. Without shared programs, users might not otherwise be able to run 
these programs at all. 



Preparing to Share Programs 

Setting up a server to share programs involves two tasks: 

• Establishing a "run path" for shared programs. 

• Starting the LAN Manager Netrun service. 
The following sections define these tasks in detail. 
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Defining the Run Path 

Before you share programs over the local area network, you should decide how to 
organize them. Generally, you have two choices: 

• To put all the programs in one directory and then allow users to run shared 
programs in that directory. 

• To allow users to run shared programs in many directories. 

When you set up a server for shared programs, you define a run path that tells LAN 
Manager where to look for shared programs on the server. Any program not in the 
run path cannot be run with the NET RUN command. 

You can keep the run path simple, and make sure that the programs you want are in 
that path, or you can distribute shared programs among many directories and make 
sure that the run path includes those directories. The problem with the second 
method is that you may accidentally share some programs that you did not mean to 
share. 

For example, if you put the LanmanNNetprog directory (containing LAN Manager 
commands) in the run path, anyone with a valid account on the server and execute 
permission on that directory can run LAN Manager commands on the server. 

To avoid this kind of problem, it's a good idea to use only a single directory or a 
small number of directories for shared programs. You can keep track of 
permissions and the run path much more easily this way. 

Once you have decided which directories to use for shared programs, use the 
following steps to define the run path: 

1 . Edit the runpath= entry in the L ANMAN.INI file to read: 

runpath=directoryl [;directory2;...] 

where the path is a list of directories, separated by semicolons. The syntax 
for path specification is the same as for OS/2 paths. 
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2 . For each directory on the run path, assign the R or X permission to the .exe 
programs that you want users to be able to run. 

With user-level security you can define this permission separately for each 
user. Share-level permissions have no effect on network execution; you must 
be very careful about choosing a run path since any user can run any program 
on the run path. 



NOTE: Refer to the 3+ Open Network System Guide for detailed information on 
the LANMAN.INI file. 



Starting the Netrun Service 

When you have set up the run path and prepared the directories, the server is ready 
to share programs. The LAN Manager service that actually shares the programs is 
the Netrun service. 



1 . Edit the srvservices= entry in the LANMAN.INI file to add the Netrun service 
to the list of services that automatically start with the Server service. 

See Chapter 2: Starting and Using LAN Manager Services for more 
information on starting services. 

2 . Edit the maxruns= entry in the L ANM ANJNI file to define how many shared 
programs can run at one time. 

The more shared programs you allow, the busier your server may be in 
handling these programs. If server speed is important to you, set this entry to 
a small value. The default value is 5. 



3 . Stop the Server service and restart it, or type the following at the OS/2 
prompt: 



net start netrun 
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4 . Check that the BPC$ resource is being shared. 

This special administrative resource must be shared for users to be able to 
gain access to shared programs. The IPC$ resource is automatically shared 
under user-level security; under share-level security you must share it and 
may assign it a password. 

With user-level security, you can define who can and who cannot use shared 
programs. The IPC resource \pipe\lanman\netrun controls access to the 
Netrun service. 

For example, you could prevent jennyt from using any shared programs by 
typing: 

net access \ pipe \ lanman\ net run /grant jennyt : n 

The server is now sharing programs. 



Maintaining Shared Programs 

When you have set up your server to share programs, as described in the last 
section, your further role as administrator is one of maintenance. The following 
sections provide detailed procedures for two tasks: 

• Adding shared programs. 




• Removing shared programs. 
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Adding Shared Programs 

In the course of preparing the server for sharing programs, as described earlier in 
the "Preparing to Share Programs" section, you defined some shared programs. 
The procedure in this section describes how to add to that list of shared programs. 

1 . Move the program (the .EXE file) to a directory on the established run path or 
add the program's directory to the run path. 

If you are expanding the run path, check for other .exe programs in the 
directory you are adding, and decide if you really want to share this directory. 

2 . If this is a user-level server, assign the R or X permission to the .EXE file 
that you want users to be able to run. You can define this permission 
separately for each user. 

3 . Edit the runpath= entry in the LANMAN JNI file to add the program's 
directory to the run path (if it is not already there). 

4 . Stop and restart the Netrun service with the following commands: 

net stop netrun 
net start netrun 



Removing a Shared Program 

You have three options for removing a shared program: 

• You can move the program to a directory that is not on the run path, or 

• If this is a user- level server, you can remove the R and X permissions for the 
program. This is appropriate if you are temporarily removing access or if you 
want to bar some users while allowing others. Note that users with admin 
privilege will still be able to run the program. With user-level security you can 
define this permission separately for each user, or 



• You can delete the program from the server's hard disk. 
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Chapter 8: Managing User-Level Security 

This chapter, and the following two chapters, discuss LAN Manager security. As 
an administrator, you have to make decisions about who should and who shouldn't 
be able to use server resources. 



Network Security 

There are two ways of controlling access under LAN Manager: 

• Logon security controls access to the entire local area network. See Chapter 10: 
Managing Logon Security, for a discussion of logon security. 

• Resource security controls access to particular resources. This chapter and 
Chapter 9 discuss resource security. 
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Resource Security 

There are in turn two ways of controlling resource security: 

• User-level security controls access on a per-user basis. You specify which 
resources each user can use and what they can do with each resource. This 
chapter discusses user-level security. 

• Share-level security controls access on a per-resource basis. You assign a 
password to each resource and then control access by giving the password only 
to users who need it. Chapter 9: Managing Share-Level Security, discusses 
share-level security. 

Every server on your local area network must be either a user-level or a share-level 
server. 

In this chapter, you will learn how to set up and maintain a user-level server. After 
reading this chapter, you will be able to add or remove user accounts from the local 
area network and control user access to resources. 



User-Level Security 

The difference between the two security modes (user-level and share-level) is subtle 
but important. User-level security provides exact control over every aspect of 
access, and is best for sites with a wide variety of users, all with differing needs. 
Share-level security provides more general control, and may be appropriate for sites 
that are using other local area network products in addition to LAN Manager. 

Each server must use one security mode or the other. You cannot mix security 
modes on one server. You can, however, have both user-level and share-level 
servers on the same local area network. 

If you don't know what security mode your server is running, check the 
background of the LAN Manager screen. Look for the following line: 



Server operating in user security mode. 
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Figure 8-1 shows what happens when a user tries to access a resource shared by a 
user-level server: 



(Workstation *\ 
requests access J 

^ Logon security^ - 



Fail 



Pass 



Is this the first 
access to this 
Server? 




Check access 
list for this 
resource 



Check username, password 
against server accounts 



Is this a valid 
user of this 
server? 



N 



f 



Try using guest account 
with password provided 



^ f Is this a valid user\N 

^1 of this server? 



Does this user have the 
appropriate privilege to access 
this resource? 



N 



I 



Does this user have appropriate 
permissions to access this 
resource? 



N 



C Permit I 
I access J 



CDeny 
access 



Figure 8-1. Access Under User-Level Security 
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This flowchart shows what happens when a user tries to use a resource shared by a 
user-level server. 



Usernames and Passwords 

A username is the name by which a server recognizes a user. A password is a 
secret code, known only to the user, that verifies the user's identity. As an 
administrator, you must help users to understand and use usernames and 
passwords. 



Accounts 

A user-level server maintains a list of users who can access resources on that 
server. Each entry in that list is known as an account and consists of a username 
and password. 

When you add or remove a user from the server, you are actually adding or 
removing an account, and when you change a user's password or privilege, you are 
modifying an account. 

Some local area network products do not support the concept of a username. DOS 
LAN Manager, MS-Net, and PC-LAN netstations instead supply a computername, 
and the server treats this as if it were a username. 



The Guest and Admin Accounts 

LAN Manager provides two ready-made user accounts on each server: 

• Guest is a generic account for guests. 

♦ Admin is a generic account for administrators. 
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You should assign passwords for each of these accounts when you install a user- 
level server. You can later delete these accounts if you want, or change their 
names. If you change the name of the guest account, you must also change the 
guestacct= entry in the LANMAN.INI file. 



Groups 

For ease in dealing with large numbers of users, you can define groups of users 
and assign them groupnames. Then, when you need to make a change that affects 
the users in a group, you avoid having to exhaustively list all of the group's 
members by user name. 

A group cannot contain other group names. For example, jackst and jennyt can be 
members of the group modem-users, but modem-users cannot in turn be a member 
of another group. 



NOTE: Beware the similarity of the terms group and LAN group. A group is a 
collection of usernames, whereas a LAN group is a collection of computernames. 



When LAN Manager displays a groupname, it prints an asterisk at the beginning of 
the name. This asterisk is not part of the name; it simply indicates that this is a 
groupname rather than a username. For example, when you type NET GROUP at 
the OS/2 prompt, LAN Manager shows you all the groups on the server: 

User Groups for \\MIS 



*USERS *MODEM-USERS *WORD-USERS 
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The Users Group 

LAN Manager provides one ready-made group on each server. The users group 
includes every user who has an account on the server except users who have guest 
privilege. See the next section for a discussion of the guest privilege. 

You cannot delete or change the automatic membership of the users group. 

A user can be a member of any number of groups. 



Privileges 

Every user's account has an assigned privilege level. The privilege level determines 
what kinds of actions that user can take on this server. 

The three privilege levels are listed in Table 8-1. 



Table 8-1. User Account Privilege Levels 



Privilege Level 


Purpose 


User 


Can perform all local area network tasks except those 
specifically reserved for administrators. The user privilege 
level is the one you will assign to most users. 


Guest 


Same as user privilege, except that users are not members of 
the users group. This lets administrators control a guest's use 
of the local area network. 


Admin 


Can create accounts, assign permissions for resources, 
manage device queues, and grant privileges to other users. 
Any user to whom you grant this privilege level should have 
the same qualifications and knowledge as the administrator, 
since that person will have full access to every part of this 
server. The admin privilege overrides all other permissions 
and privileges, so assign it with discretion. 



Privilege is an attribute of user accounts, rather than of specific resources. The next 
section explains resource permissions. 



Managing User-Level 
Security 




8-7 



Permissions 

You can define who can and cannot use each resource on a user-level-security 
server, and what each user can do with each resource. This is known as defining 
user permissions for that resource. You can assign a different set of permissions to 
each user of a resource. 



Setting Access Permissions 

The most basic permission you can give a user is permission to access a resource. 
You do this by dividing users into two categories: those who can access the 
resource and those who cannot. Groups are very useful here, especially the default 
group users which includes all user accounts except those with guest privilege. If 
you do not give access permission to a user, either individually or as part of a 
group, that user cannot access the resource. 

As a special case, you can give users the ability to set their own permissions on 
selected resources. For example, you might set up a home directory for a user on 
your server, then give the user the ability to set permissions on anything within that 
directory. The user can then control who else can read, write, or modify files in 
that directory. See the discussion of the P permission in the "Disk Resource 
Permission" section later in this chapter. 



How LAN Manager Determines Access 

LAN Manager evaluates a request for access to a resource in this order: 

1 . Does the user have admin privilege? If so, grant the request. The admin 
privilege overrides all permissions. 

2. Does this user have specific permissions for this resource? If so, use those 
permissions to determine access. User permissions override group 
permissions. 
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3 . Does this user belong to a group (or groups) that have specific permissions 
for this resource? If so, use the "union" of those permissions to determine 
access. For example, if the user belongs to two groups, one with read 
permission and one with write permission, the user has both read and write 
permission. 

4 . If the user fails all of these tests, deny access to the resource. 



Setting Other Permissions 

After you define who can use a resource, you must decide how each user can use 
the resource. There are different types of permissions for different types of 
resources. 

The following sections describe the permissions for each type of resource as shown 
in Table 8-2 in detail: 



Table 8-2. Resource Permissions 



Resource Type 


Permission 


Disk 


C Create 

D Delete 

R Read 

W Write 

X Execute 

A Change Attributes 

P Change Permissions 

Y Yes (RWCDA) 

N No 


Spooled Printer Queue 


Y Yes (C) 
N No 


Communication Device Queue 


Y Yes (RWC) 
N No 


IPC 


Y Yes (RWC) 
N No 
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Disk Resource Permissions 

A disk resource is a disk drive, a directory, or a file. The permissions for a disk 
resource are as follows: 

• Create (C) permission allows a user to create files and directories within the 
shared disk resource. The C permission does not grant read or write access to 
existing files. After creating a file, a user can read or write to that file only until 
closing it. 

• Delete (D) permission allows a user to delete files and directories within the disk 
resource (but not to delete the disk resource itself). 

• Read (R) permission allows a user to read or open files and to change 
directories. 

• Write (W) permission allows a user to write to a file. 

• Execute (X) permission allows a user to open a file for execution. 



NOTE: If you assign R permission, you do not need to assign X permission. If 
you assign X permission without R permission, LAN Manager netstations can 
execute the file but not read it, while DOS netstations cannot read or execute the 
file. 



• Change Attributes (A) permission allows a user to change physical file 
attributes. OS/2 provides four physical file attributes: 

• R (Read only). 

• H (Hidden). 

• S (System). 




• A (Change Attributes). 
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These file attributes take precedence over LAN Manager permissions. For 
example, if a file in a shared directory has the LAN Manager W permission but 
also the OS/2 R attribute, the user cannot write to the file. 

• Change Permissions (P) permission allows a user to change the LAN Manager 
permissions for the resource. See the "Changing Permissions as a Non- 
Administrative User" section later in this chapter. 

• Yes (Y) permission is a convenient abbreviation for the RWCDA group of 
permissions. 

• No (N or none) permission prevents a user from doing anything. For disk 
resources, the N permission is sometimes indicated by a colon with nothing 
after it; you don't actually see the letter "N". When you assign this permission, 
you cannot assign any other permissions. Use this permission to exclude 
individual users from access despite whatever groups to which those 
individuals might belong. For example, if you give read and write permissions 
to the users group, you can exclude a specific user in the users group by 
assigning that user the N permission. 

The N permission should not be assigned to groups. When evaluating group 
permissions, LAN Manager considers the union of all applicable group 
permissions. For example, if you give RWC permission on a directory to the 
users group, but N permission to the modem-users group, members of modem- 
users could still use the directory if they were also members of users. You gain 
nothing by assigning N permission to groups. 

The LAN Manager screen provides convenient groupings of these permissions, so 
that you can easily assign common permission combinations. Thus, you can find 
RW (read and write) or RWCDA (read, write, create, delete, and change attributes) 
permissions, for example, in the Edit File Permissions dialog box. 
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Spooled Printer Queue Permissions 

A spooled printer queue is a resource that accepts spooled requests. A spooled 
request is a collection of data, such as a file, that you send to a queue. You have no 
further interaction with the queue. Spooled printer queues are commonly associated 
with LPT ports on servers. 

Yes (Y) permission allows a user to use a particular spooled printer queue; No (N) 
permission prevents a user from using the printer queue. 



Communication Device Queue Permissions 

A communication device queue is a resource that accepts non-spooled requests. A 
non-spooled request is an active process that requires interaction (input/output) with 
the resource. Users would need to use a communication device queue to connect to 
a modem, for instance. Communication device queues are commonly associated 
with COM ports on servers. 

Yes (Y) permission allows a user to use a particular communication device queue; 
No (N) permission prevents a user from using the queue. 



IPC Resource Permissions 

An IPC (interprocess communication) resource is a mailslot or named pipe. 

Yes (Y) permission allows a user to use the IPC resource; No (N) permission 
prevents a user from using the resource. 



Setting Up User-Level Security 

In this section, you will learn how to prepare your server for user-level security. 
You need to do this if you want to control access to resources on a per-user basis. 

You should already have read the first sections of this chapter, explaining the 
concepts and rules for user-level security. 
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Checklist for User-Level Security 

The following checklist summarizes what you must do in order to make user-level 
security work on your server: 

1 . Set the security= entry in the LANMAN.INI file to user. 

2. Make certain that you have the necessary software files in place. 

3 . Set up logon security, if necessary. 

4. Create user accounts. 

5 . Define access permissions for each shared resource. 

6. Maintain accounts and permissions. 

The following sections describe each of these steps in detail. 



Defining the Security= Entry 

You must define the LANMAN.INI security= entry to enable user-level security by 
editing the LANMAN.INI file. Find the security= entry and edit the line to read: 

security=user 

See the 3+Open Network System Guide for details on this and other 
LANMAN.INI entries. 

After defining the security= entry, you must stop and restart the LAN Manager 
Server service to make the change effective. See Chapter 2: Starting and Using 
LAN Manager Services, for details on starting and stopping services. 
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Checking for Necessary Files 

LAN Manager requires the following directories and files for user-level security: 

• The LanmanXAccounts directory. 

• The 3open\Users directory. 

• The LANMAN\ACCOUNTS\NET.ACC file. 

You will encounter the following error if the access control database file, 
LANMAN\ACCOUNTS\NET. ACC, is missing: 

There is a problem with the system configuration: 
Security Failure . 

If you receive this error, you must stop and create the netacc file before you can 
proceed. Move to the LanmanXAccounts directory and use the MAKEACC 
command with the following options: 

makeacc N lanroot 

N is the number of accounts you want the access control database to be able to 
handle. The maximum is 1048. Make room for more accounts than you expect to 
have; filling up the database can hurt performance. Ideally, you should fill 60% of 
the database. 

lanroot is the root of the Lanman directory, usually c:\3open\Server\Lanman. 

The more accounts the database can handle, the larger the NET. ACC file is, so keep 
an eye on available disk space. 

The MAKEACC command prompts you for passwords for the guest and admin 
accounts. Choose unique passwords for these accounts. The guest account 
provides access to this server for people without their own accounts, so a null 
(blank) password here allows anyone access to the server. The admin account is 
for administrators only; anyone with the password for this account can control the 
server. 
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NOTE: Chapter 10: Managing Logon Security, explains logon security in detail. 
If the following brief explanation is not clear, see Chapter 10. If you do not choose 
to use logon security on this local area network, you can skip this section. 



For the purposes of basic user-level security, there are two possible concerns with 
logon security: 

• If this server is to be a central logon validator, then you must establish an 
account on this server for each possible user of the local area network. 

• If a different server is to be a central logon validator, then you may want to 
assign passwords on this server that match those on the central logon validator 
server. This would mean that users would only need to know one password to 
use both servers. (Of course, users can change their passwords later if they 
want to.) 



Creating User Accounts 

See the "Adding Users" section, later in this chapter, for details on how to create 
user accounts. For now, note that you must do the following for each account: 

• Assign a user name. 

• Assign a privilege level. 

• Assign group memberships. 

You can also assign a password, if you choose, along with some other account- 
related things, but these three are the basic necessities. 
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Defining Access Permissions 

For each resource that you share, you must define who can access that resource and 
what they can do with it. See the "Permissions" section, earlier in this chapter, for 
a full discussion of access permissions. 

For a user to be able to access a resource, you must satisfy both of these conditions 
in defining permissions: 

• The user's user name must be in the Permitted access list, either by user name 
or by inclusion in a group name. 

• The permission assigned in the Permitted access list must not be the N 
permission. 

The N permission for individual users overrides all other permissions. For 
example, if you give the users group RW access permission, but give a particular 
user the N permission, that user cannot access the resource even though he is a 
member of users. 



Maintaining User-Level Security 

After setting up user-level security, your role as administrator is largely one of 
maintenance. You must tend to the user accounts, adding or deleting them as 
necessary. You must also assign permissions each time that you share a new 
resource. You can also modify existing accounts and permissions at any time. 

The remaining sections in this chapter provide detailed procedures for these and 
related tasks. 
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Managing Users 

A user is anyone who uses network resources. Anyone who wants to use 
resources shared from a user-level server must have a user account on that server. 
The following sections provide detailed procedures for three tasks: 

• Adding user accounts. 

• Changing a user's password. 

• Removing user accounts. 

These procedures pertain to user accounts. To control access to specific resources, 
see the "Managing Resources" section, later in this chapter. 



Adding Users 

You need to add user accounts to a server under the following circumstances: 

1 . When you are installing a server. There are two ways you can do this: 

• By copying the existing accounts from another server's 
LANMAN\ACCOUNTS\NET. ACC file to your server. This copies the 
entire access control database, including user accounts and resource 
permissions. You should make any necessary changes to the accounts 
and permissions for the new server. Both servers must be running the 
same release of LAN Manager for this method to work. 

• By creating each account from scratch. 

2. When you add a new netstation to the local area network. If the person or 
people who are to use the netstation already have accounts on this server, you 
do not need to add any new accounts. 
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3 . When a new person needs to use the local area network. You must create a 
user account, regardless of whether this person will use a netstation, another 
server, or this server. 

4. When you want to establish an anonymous account. Sometimes you may 
want to create an account not tied to any particular person, such as a guestprtr 
account for people who only need to use the local area network for occasional 
printing. It is usually more efficient to establish groups for this purpose; 
anonymous accounts are a potential security problem. 

LAN Manager stores user account information in the 

LANMAN\ACCOUNTS\NET. ACC file. If this file is missing or too small, there 
can be problems when you try to add an account. See the "Checking for Necessary 
Files" section, earlier in this chapter, if you need to create the NET. ACC file. 



Adding an Account 

To add a user account to the server, follow these steps: 
1 . Select the Accounts menu and choose the Users/Groups menu item. 
The Users/Groups dialog box appears. 
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2 . Select an item from the Username list box: 

• Select [NEW] to create an entirely new account. 

• Select an existing account if the account you are creating is to be modeled 
after that account. The new account will have the same privilege and 
group membership as the selected account. You can change the account 
permissions later. 

3 . Choose the Add command button. 

The Add User Account dialog box appears. If you selected an existing 
account, some of the text boxes in this dialog box are already filled in. 



NOTE: You may encounter an error at this point if the access control database is 
not large enough. You must either remove some accounts or stop and make the 
database bigger before you can proceed. Refer to "Adding Space for More 
Accounts" section immediately after this procedure. You will need to exit out of the 
LAN Manager screen program to perform the task. 
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4 . Complete the text boxes in the Add User Account dialog box according to 
instructions in Table 8-3. 



Table 8-3. Add User Account Dialog Box Text Boxes 



Text Box 


What to Do 


Username 


Supply a user name for the new user. User names can be up 
to 20 characters long and can be composed of letters, 
numbers, or the following characters: 

$%;-_<§> { 

When possible, use letters, numbers, and the hyphen. All 
lowercase letters are automatically converted to uppercase 
letters. 

If the account is for a DOS LAN Manager, MS-Net, or PC- 
LAN user, the user name is actually the user's computer name. 


Password 


Assign a password for the user. The possible characters for a 
passwora are the same as for a user name. 


Directory 


Specify a name for the user's home directory on the server. 
LAN Manager creates this directory as a subdirectory of the 
3open\Users directory. 

If you leave this text box blank, the user has no home 
directory. This does not affect the user's ability to access 
server resources. 


Script 


Specify the pathname of a logon script. See Step 6 for further 
information. If you type just a filename without a path, the 
path defaults to 3open\Users. 


Comment 


Supply a descriptive comment for this user. This comment 
can oe seen only by administrators of this server. A typical 
remark might be the user's full name and phone number. The 
remark can be up to 48 characters long, though text boxes in 
the LAN Manager screen will not show the entire remark. 
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5 . Use the [Tab] key to move to the column of option buttons on the right of the 
Add User Account dialog box. Select the privilege level for this user: guest, 
user, or admin. See the "Privileges" section earlier in this chapter for 
descriptions of the different privilege levels. 

6 . Mark or unmark the following check boxes as needed: 

• Use script-If this server is a logon validator and you want it to be able to 
validate this user's logon requests, you should mark this check box. This 
does not guarantee that this server will actually be validating the user (in 
the case of distributed logon security). If you mark this check box you 
should also supply the pathname of a script in the Script text box. 

The default script is: 

3open \users\ script s\net logon .cmd 

See Chapter 10: Managing Logon Security, for details about logon 
scripts. 

• Disabled-By checking this box, you prevent the user from using 
resources on this server. This is equivalent to temporarily removing the 
user's account. 

7 . Use the two list boxes and the Move command button to specify the groups to 
which the user is to belong. 

8 . Choose the OK command button. 

If you created a home directory for the user in Step 4, make sure the new user has 
access to that directory. Usually, permissions on a home directory should allow 
full access (RWCDAP) for the user and an N permission for all others. See the 
"Managing Resources" section later in this chapter for information on changing 
directory permissions. 
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Home directories are where users should keep private files on the server. As an 
administrator, you may need to keep an eye on how much disk space the home 
directories are consuming and issue warnings accordingly. 

When you have completed this procedure, you have added a new user account to 
this server. Now you need to grant the new user access to local area network 
resources. See the "Managing Resources" section later in this chapter. 



Adding Space for More Accounts 

If necessary, use this procedure to enlarge the access control database: 

1 . Switch to another MS OS/2 session or exit the LAN Manager screen. 

2 . Move to the Lanman\Accounts directory. 

3 . Use the GRO WACC command with the following option at the OS/2 prompt: 
growacc N 

N is the number of accounts you want the access control database to be able to 
handle. The maximum is 1048. 

Make room for more accounts than you expect to have; filling up the database 
can hurt performance. Ideally, you should fill 60% of the database. 

The more accounts the database can handle, the larger the NET. ACC file is, 
so keep an eye on available disk space. 

4. Return to the LAN Manager screen. 

You can now continue with the procedure for adding a user account. 
Example 

A new user, John O'Clare, needs to be able to use the mis server. Mary Sullivan 
must set up an account for him. 
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In the LAN Manager screen, Mary selects the Accounts menu and chooses the 
Users/groups menu item. In the Users/Groups dialog box, she moves to the 
Usemame hst box and selects [NEW]. She then chooses the Add command button. 

In the Add User Account dialog box, Mary begins filling in information. She types 
the user name johnoc in accordance with company policy on forming user names 
from people's real names. Moving to the Password text box, she types the 
password she gives to every new user: newuser. She will later tell John to change 
his password to something personal. 

In the Directory text box, Mary types the name of a home directory for John to use 
on mis. By established convention, she gives home directories the same name as 
the user account, so she types johnoc, which creates the directory 
3open\Users\Johnoc. 

The next text box is Script. Mary has created a logon script for new employees that 
establishes some basic connections to printers and central servers. The script is in 
the 30PEN\USERS\SCRIPTS\NEWUSER.CMD file, so she types 
scripts\newuser.cmd in this text box. 

In the Comment text box, Mary types a remark for this account. Following the 
pattern of other mis accounts, she types in John O'Clare's full name and telephone 
extension. Pressing the [Tab] key, she moves to the column of option buttons 
defining privilege level. Since John is a junior accounting clerk with a limited need 
to access resources, she marks the Guest option button. This bars johnoc from 
membership in the users group; in the list boxes below, the users group name 
moves from the Member of to the Not a member of list box. 

Mary then moves to the Use script check box. Since mis is a central logon 
validator, she marks this check box. When John logs on, LAN Manager will run a 
logon script for him at his netstation. 



The next check box is Disabled. Since this is to be an active account, Mary leaves 
this box unmarked. 
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Finally, Mary moves to the two list boxes at the bottom of the dialog box. Because 
of the guest privilege level Johnoc cannot be a member of the users group. 
However, he should be a member of the accounting group so that he can reach the 
appropriate resources for his job. She moves the accounting groupname from the 
Not a member of list box to the Member of list box. 

The information in this dialog box is now complete; Mary chooses the OK 
command button, and a confirmation dialog box appears, asking if it is all right to 
create the home directory for johnoc in the lanman\accounts\userdirs directory. 
Mary chooses the OK command button to create the directory. 

Since LAN Manager is creating a new directory on mis, it brings up the Edit File 
Permissions dialog box. Mary sees that johnoc is in the Permitted list box and has 
full permission (RWCXDAP). This means that John can do whatever he wants in 
this directory, even change the permissions of other users to access this directory. 
When Mary chooses the OK command button, she is done with adding this user 
account. 

Mary has two responsibilities after this: 

• To give John information about his user name, password, and home directory. 
She should also tell him about changing his password and about the 
connections that are automatically made for him by the newuser.cmd logon 
script. 

• To assign access permissions for John to specific resources. Since johnoc is a 
member of the accounting group, John already has access to some resources. If 
he needs to use other resources, Mary must give him additional group 
memberships or modify the permissions on the relevant resources. 
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Using NET USER to Add a User Account 

To create a user account, use the NET USER command with the following options: 



{ NET USER 



username 




password 





7~S 



S^/active • ye£^- 



<2 



/add 



/delete ^> 



>s ^~ /enablescript :yes 



^~ /enablescript :no 
*»«^7homedi r : dri ve\pattT^s 



< ^^/ho medLir : \path 
>s -^7 /privipri viiegre 



/remark.: text 



7 scriptpath: \path 



Figure 8-2. NET USER Command 

username is the name of the new account. 

password is the user's password. If you leave this out, the user can access the 
server without supplying a password. 



\ 



/add is the option that tells LAN Manager to add this account. 
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/pnviprivilege is the user's privilege level: type user, guest, or admin. 

/homeihomedir is the home directory for the user on this server. If you leave this 
out, it does not affect the user's ability to access other resources on this server. If 
you establish a home directory, remember that you must assign permissions for that 
directory with the NET ACCESS command. See the "Managing Resources" 
section later in this chapter. 

remark is a descriptive comment about this user. If you leave this out, it does not 
affect the account in any way. Remember to enclose the remark in quotes. 



NOTE: Figure 8-2 shows the NET USER command with all the command options. 
You may wish to refer back to this figure when the different options of the 
command are discussed in succeeding sections. 



Using NET USER to Define a Logon Script 

To define a logon script for a user account, use the NET USER command with the 
following options: 

net user username /enable :y / scriptpath : pathname 

username is an established user account. 

/enable:y is the option that tells LAN Manager to use a logon script for this user. If 
you set this option to n, the server will not validate this user's logon requests. 

/scnptpathipathname is the pathname of a script file, relative to the 3open\users 
directory. If you omit this option, the default script is scripts\netlogon.cmd. 
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Using NET USER to Disable a User Account 

To disable a user account, use the NET USER command with the following option: 
net user username / active :n 

username is an established user account. 

You can combine all of the above NET USER commands on one command line, if 
you choose. See the 3+Open MS OS/2 LAN Manager Administrator Reference for 
details on the NET USER command. 

Example 

In the previous example, Mary set up a user account for John O'Clare from the 
LAN Manager screen. If she had wanted to do the exact same thing from the OS/2 
prompt, she could have typed: 

net user johnoc newuser /add /priv: guest 
net user johnoc /home: johnoc 

net user johnoc /rem: "John O'Clare, x2222" 

net user johnoc /enable :y 

/scriptpath : scripts\newuser . cmd 

net group accounting johnoc /add 

mkdir c : \ lanman\ account s\userdirs\ johnoc 

net access c:\lanman\accounts\userdirs\johnoc /add 

johnoc : 

RWCDAP 

For an explanation of the NET GROUP and NET ACCESS commands, see the 
"Managing Groups" and "Managing Resources" sections later in this chapter. 
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Changing a User's Password 

To ensure security, all passwords on the local area network are protected by a 
process known as encryption. An administrator cannot see a user's password. 
However, as administrator, you can change users' passwords. You may want to 
change a user's password under the following circumstances: 

• When users forget their passwords. 

• When users fail to change their passwords for a long time. 

• When you need to "force" a new password for security reasons. 

Changing a user's password at this server does not change that user's passwords at 
other servers. If this server is a logon validator, however, changing a user's 
password can affect the user's access to the local area network. 



Changing a Password 

To change a user's password, follow these steps: 

1 . Select the Accounts menu and choose the Users/groups menu item. 
The Users/Groups dialog box appears. 

2 . Select a user name from the Username list box. 

3 . Choose the Zoom command button. 

The Change User Account dialog box appears. 

4 . Type the new password for this user in the Password text box of this dialog 
box. 
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5 . Choose the OK command button. 

The Edit File Permissions dialog box may appear, letting you change 
permissions on the user's home directory (if there is one). 

6 . Inform the user of the password change. 



Using NET PASSWORD to Change a User's Password 

To change a user's password, use the NET PASSWORD command with the 
following options: 

net password [computername] username oldpas sword 
newpas sword 

computername is the computer name of the server at which you want to change the 
password. If you leave this out, it means that you are changing the password on 
the server you are currently administering. 

username is the account whose password you are changing. 

oldpassword is the old password. 

newpassword is the new password. 

This command can be typed by anyone who knows the user name and existing 
password for the account. 
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Using NET USER to Change an Unknown Password 

An administrator may sometimes need to change the password without knowing the 
current password; in this case, use the NET USER command with the following 
options: 

net user username password 

usernome is the user whose password you are changing. 
password is the new password. 

Unlike the NET PASSWORD command, the NET USER command requires admin 
privilege. 

Example 

John O'Clare, a new user on the mis server, needs to change his password. His 
administrator has told him that his user name is johnoc and his temporary password 
is newuser. He must change the temporary password to one that only he knows 
and that he can remember. 

Choosing the name of his favorite aunt, John changes his password by typing the 
following at the OS/2 prompt: 

net password \\mis johnoc newuser mathilda 



Removing Users 

This section explains how to remove a user account — it does not explain how to 
revoke permissions for access to specific resources. For information about 
revoking permissions on a per-resource basis, see the "Managing Resources" 
section later in this chapter. 

You may want to remove a user account under the following circumstances: 



• When you change a user name (by creating a new account and then deleting the 
old one). 
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• When a user is no longer using the local area network. 

• When a user is no longer using this particular server. 

• When you must close the account for security reasons. 

You can temporarily disable a user account without removing it. When an account 
is disabled, the user cannot access server resources. See the "Adding Users" 
section earlier in this chapter for information on how to disable a user account. 



Removing an Account 

To remove a user's account from the server, follow these steps: 

1 . Select the Accounts menu and choose the Users/groups menu item. 
The Users/Groups dialog box appears. 

2 . Select the user name you wish to remove from the Username list box. 

3 . Choose the Delete command button. 

A dialog box appears, asking you to confirm your decision. 

4. Press [Enter]. 
Example 

David Wilkins has gotten married, and has changed his name to David Burney- 
Wilkins. By company standards, this means that his user name should change 
from davidw to davidbw. Since there is no way to change the user name of an 
account, Mary Sullivan must add a new account for David and then delete his old 
account. 
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In the LAN Manager screen, Mary selects the Accounts menu and chooses the 
Users/groups menu item. She then selects davidw from the Username list box and 
chooses the Add command button. This creates a new user account with the same 
attributes as the existing davidw account, thus saving Mary some trouble in 
transferring information to the new account. Mary gives the user name davidbw to 
this new account. 

After creating the new account, Mary is ready to delete the old davidw account. In 
the Users/Groups dialog box, where she has just finished creating the new account, 
she moves into the Users list box, selects davidw, and chooses the Delete command 
button. In the confirmation dialog box that appears, she chooses the OK command 
button. The davidw user account is now gone. 

This concludes the discussion of dealing with user accounts. The next section 
includes procedures for dealing with groups. 



Using NET USER to Remove an Account 

To remove a user account, use the NET USER command with the following option: 

net user username /delete 

username is the account you want to remove. 

/delete is the option that tells LAN Manager to remove the account. 
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Managing Groups 

A group is a set of local area network users that have something in common. For a 
more detailed description of groups, see the "User-Level Security" section earlier in 
this chapter. 

The following sections provide detailed procedures for four tasks: 

• Adding groups. 

• Adding members to a group. 

• Removing members from a group. 

• Removing groups. 



Adding Groups 

Groups can greatly simplify your job as administrator. It is easier to keep track of a 
few groups and their common interests than to keep track of all users and their 
individual needs. Users don't need to know about group names, since those are 
only meaningful to an administrator; users only need to know whether or not they 
can access a given resource. 

To add a new group to the server, follow these steps: 

1 . Select the Accounts menu and choose the Users/groups menu item. 




The Users/Groups dialog box appears. 
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2 . Select an item from the Groupname list box: 

• Select [NEW] to create an entirely new group. 

• Select an existing group name if the group you are creating is to be 
modeled after that group. The new group will have the same group 
members as the selected group. You can change the membership later. 

3 . Choose the Add command button. 

The Add Group Account dialog box appears. 

If you select an existing group, the Members list box should have entries; if 
you select [NEW], the Members list box should be empty. In either case, the 
user names of all users who have accounts on this server appear in one of the 
two list boxes. 

4 . Type the name of the new group in the text box at the top of this dialog box. 

The name of the group should be easy to remember, and should reflect the 
group's purpose. Group names can be up to 20 characters and can contain 
letters, numbers, or the following characters: 

$%;-_@{}~ x !#<) 

When possible, use letters, numbers, and the hyphen (-). All lowercase 
letters are converted to uppercase letters. 

5 . Use the two list boxes and the Move command button to specify the 
membership for this group. 

6 . Choose the OK command button and press [Enter]. 

You have added a new group to this server. Now you need to grant the new 
group access to local area network resources. See the "Managing Resources" 
section later in this chapter. 
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Example 

The mis server has four modems; Mary wants to share this pool of modems with 
certain individuals. She could assign individual permissions to each person, but 
instead she decides to establish a modem-users group so that she can assign 
permissions easily. 

In the LAN Manager screen, Mary selects the Accounts menu and chooses the 
Users/groups menu item. In the Users/Groups dialog box, she moves into the 
Groupname list box, selects [NEW], and chooses the Add command button. 
In the Add Group Account dialog box, Mary types the name of the group {modem- 
users) in the Groupname text box. She is now ready to define group membership. 

The Members list box is empty, since she did not select an existing group before 
adding this new group. Mary moves to the Non-members list box, selects a 
username that she wants to add to the Members list box, and then chooses the Move 
command button. She repeats this select and move action until she has defined the 
group membership to her satisfaction. She completes the process by choosing the 
OK command button. 



Using NET GROUP to Add Groups 

To add a group, use the NET GROUP command with the following options: 

net group groupname /add 

groupname is the group that you want to add. 

/add is the option that tells LAN Manager to add the group. 

To add members to the group, see the "Adding Members to a Group" section 
immediately following this section. 



Managing User-Level 
Security 




8-35 



Adding Members to a Group 

When you add a new user to the local area network, you might need to include that 
user in some of the existing groups on the local area network. You can define 
group memberships when you add the user account, as described under "Adding 
Users" earlier in this chapter, or on a later occasion. A user can be a member of up 
to four groups, not counting the users group. 

1 . Select the Accounts menu and choose the Users/groups menu item. 

The Users/Groups dialog box appears. 

2 . In the Groupname list box, highlight the name of the group to which you 
want to add a member and choose the Zoom command button. 

The Change Group Account dialog box appears. 

3 . Li the Change Group Account dialog box, highlight the user name you want 
to add as a member to the group from the Non-members list box and choose 
the Move command button. 

4 . Repeat steps 2 and 3 until you are done adding members to the group. 

5 . Choose the OK command button. 
Example 

In creating the modem-users group, Mary forgot that the new accounting clerk, 
John O'Clare, will need to use a modem in order to dial in to a bulletin board 
service. She must add John's user name (johnoc) to the modem-users group. 

In the LAN Manager screen, Mary selects the Accounts menu and chooses the 
Users/groups menu item. In the Users/Groups dialog box, she moves into the 
Groupname list box, selects modem-users, and chooses the Zoom command 
button. 

In the Change Group Account dialog box, Mary moves to the Non-members list 
box, selects johnoc, and then chooses the Move command button. This moves 
johnoc to the Members list box. Finally, Mary chooses the OK command button. 
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Using NET GROUP to Add Group Members 

To add members to a group, use the NET GROUP command with the following 
options: 

net group groupname username[ username{ ...]] /add 

groupname is the name of an established group. 

username is the user name that you want to add to this group. You can type more 
than one user name, separated by spaces. 

/add is the option that tells LAN Manager you are adding to the group. 



Removing Members from a Group 

You'll need to remove a user from a group if you are restructuring groups or if a 
person no longer needs to belong to a group. 

1 . Select the Accounts menu and choose the Users/groups menu item. 
The Users/Groups dialog box appears. 

2 . In the Groupname list box, select the group name of the group you want to 
change and choose the Zoom command button. 

3 . In the Change Group Account dialog box, select the user name you want to 
remove from the group and choose the Move command button. 

4. Choose the OK command button. 
Example 

In creating the modem-users group, Mary included Jack Starkey's user name in the 
group membership, since he uses a modem to contact his home computer. Jack has 
since purchased a modem for his office computer, since his modem use is mostly 
recreational. Mary decides to remove Jack's user name (jackst) from the modem- 
users group membership. 



Managing User-Level 
Security 

o 

8-37 



In the LAN Manager screen, Mary selects the Accounts menu and chooses the 
Users/groups menu item. In the Users/Groups dialog box, she moves into the 
Groupname list box, selects modem-users, and chooses the Zoom command 
button. 

In the Change Group Account dialog box, Mary moves to the Members list box, 
selects jackst, and chooses the Move command button. This moves jackst to the 
Non-members list box. Finally, Mary chooses the OK command button. 



Using NET GROUP to Remove Group Members 

To remove a group member, use the NET GROUP command with the following 
options: 

net group groupname username[ username[ ...]] /delete 
groupname is the name of an established group. 

username is the user name (or user names) that you want to remove from this 
group. If you are typing more than one user name, separate them with spaces. 

/delete is the option that tells LAN Manager to delete one or more user names from 
the group. 



Removing Groups 

Defining groups is a powerful way of keeping the local area network attuned to the 
needs of its users. Removing a group can have great impact. Before removing a 
group, consider the consequences and be sure to notify users if it will change their 
abilities to access resources. Users don't need to know about group names, since 
those are only meaningful to administrators; users only need to know whether or 
not they can access a given resource. 

1 . Select the Accounts menu and choose the Users/groups menu item. 



The Users/Groups dialog box appears. 
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2 . From the Groupname list box, select the group name you want to delete and 
choose the Delete command button. 

A message box appears, asking you to confirm your decision. 

3 . Choose the OK command button. 
Example 

Mary has been evaluating some project management software. To solicit opinions, 
she put the software on the mis server, then invited people to try out the software 
with the NET RUN command. To control access to the software, she defined a 
group project. Her evaluation completed, Mary now wants to remove the project 
group. 

In the LAN Manager screen, Mary selects the Accounts menu and chooses the 
Users/groups menu item. In the Users/Groups dialog box, she moves into the 
Groupname list box, selects project, and chooses the Delete command button. She 
confirms her choice by choosing the OK command button, and the project group 
ceases to exist. 

This concludes the discussion of dealing with groups. The next sections include 
procedures for setting and changing permissions for individual resources. 



Using NET GROUP to Remove Groups 

To remove a group, use the NET GROUP command with the following options: 

net group groupname /delete 

groupname is the name of the group that you want to remove. 

/delete is the option that tells LAN Manager to delete the group. 
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Managing Resources 

A resource is anything you can share with LAN Manager. For a more detailed 
description of resources and resource permissions, see the "User-Level Security" 
section at the beginning of this chapter. 

The following sections provide detailed procedures for four tasks: 

• Looking at permissions. 

• Changing permissions for disk resources. 

• Assigning default and inherited permissions. 

• Changing permissions for other resources. 



Looking at Permissions 

When you share resources under user-level security, you should assign 
permissions for each resource. You may need to review the assigned permissions 
under the following circumstances: 

• When someone who should have access to a resource can't use it. 

• When someone who shouldn't have access to a resource is using it. 

• When you want to change the permissions for a resource. 

1 . Select the Accounts menu and choose one of the following menu items: 

♦ Choose the File permissions menu item to look at permissions for a disk 
resource. The File Access Permissions For dialog box appears. 

• Choose the Other permissions menu item to look at permissions for all 
other types of resources (printer queues, communication device queues, 
and IPC resources). The Other Access Permissions dialog box appears. 
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2 . For disk resources, use the list box and the File Access Permissions For 
dialog box Dir command button to move through the directories to find the 
resource. 

When you have found the drive, directory, or file that you want to examine 
(either in the list box or by typing its pathname in the text box), choose the 
Zoom command button to look at permissions. 

If you are looking at any other type of resource, select a resource from the list 
box of the Other Access Permissions dialog box and choose the Change 
command button to look at permissions. 

3 . Find the Permitted list box. In the Edit File Permission dialog box (or 
Change Permissions for other types of resources), the Permitted list box 
shows all users and groups with permissions for this resource. Each entry is 
of the form: 

name '.permissions 

name is the user name or group name. 

permissions specifies the assigned permissions. 



4 . Choose the Cancel command button to leave this dialog box without making 
changes. 

A user whose name does not appear in the Permitted list box can only use the 
resource if the user has admin privilege or the user is a member of a group 
that is permitted to use the resource. 
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Changing Permissions for Disk Resources 

Under user-level security, LAN Manager maintains a database of permissions for 
resources regardless of whether those resources are being shared at any given time. 
Thus, if you stop sharing a resource and then decide later to start sharing it again, 
LAN Manager remembers the permissions you have previously assigned for that 
resource. Every resource starts with default permissions; if you change those 
default permissions, they remain changed until you choose to change them again. 
For a description of default permissions, see the "Assigning Default and Inherited 
Permissions" section immediately following this one. 

The LAN Manager screen automatically asks you for permissions when you create 
a new home directory for a user account (see the "Managing Users" section earlier 
in this chapter). Under all other circumstances, you must assign permissions for 
each drive or directory, or else accept the default permissions. 

You may want to change permissions for a disk resource under the following 
circumstances: 

• When you want to stop using the default permissions for a resource. 

• When you want to assign, change, or delete permissions for a user or group. 



Changing Disk Permissions 

To change the permissions for a disk resource, follow these steps: 

1 . Select the Accounts menu and choose the File permissions menu item. 

The File Access Permissions For dialog box appears. 

2 . Use the list box and Dir command button to move through the directories to 
find the resource server. 



You can also type the pathname of the resource in the Filename text box. 
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3 . Choose the Zoom command button. 

The Edit File Permission dialog box appears. 

4 . Select the Set explicit permissions option button. 

• If you want to use default permissions, see the "Assigning Default and 
Inherited Permissions" section immediately following this one. 

• If you want to remove the current permissions and start from scratch, 
choose the Clear permissions command button. 

5. Mark or unmark the following check boxes as needed: 

• Audit this resource-If you want to keep track of who uses this resource, 
when, and what they do with it, you should mark this check box. See 
Chapter 12: Monitoring and Troubleshooting Server Operations, for 
details on resource auditing. 

• Copy permissions to descendants-If you want to assign the permission 
for this resource to every directory and file below it in the directory 
structure, you should mark this check box. See the "Assigning Default 
and Inherited Permissions" section immediately following this one for 
details on inherited permissions. 

6 . Use the two list boxes, the Permission option buttons, and the Move 
command button to specify the permissions for each user and group as 
follows: 

• To add a user or group to the Permitted list box, select that usemame or 
group name from the Not permitted list box and choose the Move 
command button. The user or group moves to the Permitted list box with 
whatever permissions are currently selected among the permission option 
buttons. Each resource can have up to 64 entries in the Permitted list box. 

• To remove a user or group from the Permitted list box, select that 
username or group name and choose the Move command button. 
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• To change the permissions for a user or group in the Permitted list box, 
choose that user name or group name and select one of the permission 
option buttons. If you select the Other option button, you can type a set 
of permissions in the text box below the option button. 

See the "User-level Security" section earlier in this chapter for detailed 
descriptions of each permission option button. 

7 . Choose the OK command button. 

Example 

Mary Sullivan wants to share the c:\accounts directory on the mis server with the 
accounting group. She wants the group's members to be able to read or write to 
existing files in the directory. 

In the LAN Manager screen, Mary selects the Accounts menu and chooses the File 
permissions menu item. In the File Access Permissions For dialog box, she selects 
[C:] in the Tree: list box and chooses the Dir command button. This displays the 
contents of drive C in the list box. 

Mary selects the accounts directory in the list box and chooses the Zoom command 
button. In the Edit File Permission dialog box, she selects the RW option button, 
then moves the accounting group from the Not permitted list box to the Permitted 
list box. Mary finishes by choosing the OK command button. Having changed the 
permissions on the c:\accounts directory, she is now ready to share it. 
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Using NET ACCESS to Manage Network Permissions 

You can use the NET ACCESS command to manage user and resource permissions 
on the network. The following sections explain the different options in detail. 



MET ACCESS 




Using NET ACCESS to Change Resource Permissions 

To change the permissions for a spooled printer, disk, communication queues and 
IPC resources, use the NET ACCESS command with the following options: 

net access resource [ /add | /grant | /change] 
account permissions 

resource is the full pathname of the drive, directory, or file. 

/add is the option that tells LAN Manager to add this resource to the access control 
database; use this if this is the first time you are assigning permissions for this 
resource. 

/grant is the option that tells LAN Manager to add permissions for a user or group 
to the access control database; use this if you are adding to the list of users or 
groups that have permission to use the resource. 

/change is the option that tells LAN Manager to modify the existing permissions for 
a user or group. 
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account is the user name or group name whose permissions you want to change. 
permissions is the permissions that you want to assign. 

NOTE: For instructions on how to use the command flow diagram chart refer to 
Appendix C. 

Using NET ACCESS to Remove User Permissions 

To remove permissions for a user or group, use the NET ACCESS command with 
the following options: 

net access resource /revoke account 

resource is the full pathname of the drive, directory, or file. 

/revoke is the option that tells LAN Manager to revoke permissions. 

account is the user name or group name whose permissions you want to remove. 

Using NET ACCESS to Remove Resource Permissions 

To remove all permissions for a resource, use the NET ACCESS command with 
the following options: 

net access resource /delete 

resource is the full pathname of the drive, directory, or file. 

/delete is the option that tells LAN Manager to remove this resource from the access 
control database. 
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Using NET ACCESS to Audit a Resource 

To turn on audit trailing for a resource, use the NET ACCESS command with the 
following options: 

net access resource /trail :y 

resource is the full pathname of the drive, directory, or file. 
trail:y is the option that tells LAN Manager to enable audit trailing. 



Changing Permissions as a Nonadministrative User 

When you give the P permission to a user, you allow that user to change 
permissions on a disk resource. This is very different from granting administrative 
privilege. Someone with admin privilege can change permissions on any resource, 
while a user with the P permission can change permissions only on the specific 
resource for which you grant the P permission. 

Since permissions are usually the concern of administrators rather than users, the 
procedure for using the P permission is discussed here rather than in the 3+Open 
MS OS/2 LAN Manager User Guide. Since an administrator on one server may not 
necessarily have admin privilege on another server, administrators may also need to 
use the information in this section. 

If you don't know whether you have the P permission for a given resource, try 
following the steps in this section. If you don't have the proper permissions, you 
will not be able to complete the steps. 
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Changing Disk Permissions as a User 

To change the permissions for a disk resource, when you have the P permission for 
the resource but you do not have admin privilege, follow these steps: 

1 . Check that the resource for which you have the P permission has been shared 
at the server. 



If the resource is not shared, you cannot access it from another computer. 

2 . Use the resource, assigning it a local drive letter. 

You can do this from the LAN Manager screen or with the NET USE 
command at the OS/2 prompt. 

3 . Use the NET ACCESS command to change permissions on the resource. 

This is described in the "Changing Disk Resource Permissions" section earlier 
in this chapter. You must use the local drive letter plus the full pathname in 
referring to the resource, rather than using the net pathname. 

For example, you must refer to x:\marys\file rather than 
\\mis\homes\marys\file. 



NOTE: If you use the NET ACCESS /ADD command to assign permissions to a 
resource, remember to add your own username with a set of permissions. 
Otherwise, you will not be able to access this resource, even though it is in a 
directory for which you have the P permission. Of course, an administrator can 
always access any resources regardless of permissions. 
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Example 

John O'Clare has the P permission for his home directory on the mis server. John 
wants to allow Jenny Tibbett (jennyt) to read a certain file in his home directory. 

First, John checks that home directories are being shared on the mis server by 
typing the following command: 

net view \\mis 

Net Name Type Used as Remark. 



HOMES Disk Home directories 

John uses the shared resource with the NET USE command: 
net use h: \\mis\homes 

John's home directory is \\mis\homes\johnoc, and the file that he wants to let Jenny 
read is named testfile in that directory. John grants the proper permission with the 
following command: 

net access h:\johnoc\testfile /add jennyt :R 
johnoc :RWCDXAP 

Note that if John does not add his own name and permissions to this command, he 
would be in the embarrassing position of giving Jenny permission to read the file 
while excluding himself from any access to the file. He would not even be able to 
delete the file; he would have to ask an administrator to do it for him. 



Assigning Default and Inherited Permissions 

Every drive, directory, or file on a server must have a set of permissions. If you do 
not explicitly set permissions for a resource (file or directory), then that resource 
has default permissions. Default permissions are determined by certain other 
permissions that you have set. 
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LAN Manager uses the following series of tests to determine the default 
permissions for a disk resource: 

• If the resource is a disk drive, it must have explicit permissions. Every disk 
drive starts with a null (blank) set of explicit permissions. 

• If the resource has explicit permissions, LAN Manager uses those permissions. 

• If the resource has a parent that has explicit permissions, LAN Manager uses 
those permissions. The parent of a file is the directory in which the file is 
located. The parent of a directory is the next higher directory (if one exists). 

• If the parent has no explicit permissions, use the permissions for the drive on 
which this resource is located. 



Effects of Default Permissions on Disk Resources 

These rules have effects that may not be obvious: 

• Any explicit permissions that you set for any disk resource override default 
permissions that you set for the disk drive. 

• If a directory does not itself have explicit permissions, then any file or 
subdirectory in that directory takes default permissions from the drive. This is 
true even if the directory itself takes default permissions from its parent. 

• If you give anyone with guest privilege explicit permissions at the drive level, 
you must be careful to exclude that user with the N permission from any 
sensitive resource on that drive. This is tricky because you might assign the N 
permission to the users group for a resource, thinking that this excludes all 
users, when guest users are still able to access the resource (since they are not 
members of users). 

• When you create a directory for any purpose, you should assign explicit 
permissions to it if you want it to have something other than default 
permissions. 
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If you want to avoid the pitfalls of default permissions, you can assign inherited 
permissions for an entire directory tree (a directory plus all of its files and 
subdirectories). If you later add subdirectories or files to this directory, they will 
not inherit these inherited permissions unless you reset inherited permissions for the 
entire tree. Inherited permissions are permissions that trickle down to each file and 
subdirectory under a particular directory. 



Assigning Inherited Permissions 

To set inherited permissions for a disk resource, follow these steps: 

1 . Select the Accounts menu and choose the File permissions menu item. 
The File Access Permissions For dialog box appears. 

2 . Use the list box and Dir command button to move through the server's 
directories to the directory. 

You can also type the pathname of the directory in the Filename text box. 

3 . Choose the Zoom command button if you want to examine the existing 
permissions for this resource. 

When you're ready to continue, you can return to the File Access Permissions 
For dialog box by pressing [Esc]. 

4 . Select the Permit tree command button. This assigns the current permissions 
for this directory to all of the directory's descendants. 

5 . If you want to remove an entire directory tree from the access control 
database, select the Revoke tree command button. This removes all 
permissions throughout the directory tree, no matter how those permissions 
were assigned. 
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You can also assign inherited permissions from the Edit File Permissions dialog 
box by marking the Copy permissions to descendants check box. This performs 
the same action as the Permit tree command button in the File Access Permissions 
For dialog box. 

Example 

Mary wants to assign the accounting group RW permission for all subdirectories 
and files in the C:\Accounts directory. 

Mary selects the Accounts menu and chooses the File permissions menu item. In 
the File Access Permissions For dialog box, she selects [C:] in the Tree: list box 
and chooses the Dir command button. This puts the contents of the drive C in the 
list box. 

Mary then selects the Accounts directory and chooses the Permit tree command 
button. 

This concludes the discussion of permission for disk resources. The next section 
discusses permissions for other resources. 



Using NET ACCESS to Assign Inherited Resource Permissions 

To assign inherited permissions for a resource, use the NET ACCESS command 
with the following options: 

net access resource /tree 

resource is the full pathname of the drive, directory, or file. 

/tree is the option that tells LAN Manager to assign inherited permissions 
throughout the directory tree. 

To remove permissions for an entire directory tree from the OS/2 prompt, use the 
NET ACCESS /REVOKE command to revoke all permissions on the directory, 
then use the NET ACCESS /TREE command to assign the null (blank) set of 
permissions throughout the directory tree. 
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Changing Permissions for Other Resources 

LAN Manager uses three types of resources in addition to disk resources: spooled 
printer queues, communication device queues, and IPC resources. See the "User- 
Level Security" section earlier in this chapter for a description of each of these 
resource types. 

To look at or change permissions for a disk resource, you must supply the 
pathname of the drive, directory, or file. To look at or change permissions on other 
types of resources, you supply one of the following names: 

♦ \printsharename for spooled printer queues. 

• \comm\sharename for communication device queues. 

• \pipe\sharename for IPC resources. 

For each of these resource types, LAN Manager maintains a default set of 
permissions. You can change the default permissions by changing permissions on 
these special sharenames: 

• \print for spooled printer queues. 

♦ \comm for communication device queues. 

♦ \pipe for IPC resources. 

When you change permissions on one of these special sharenames, you change the 
default permissions for that type of resource. 

You can create spooled printer queues and communication device queues 
automatically by sharing a queue that does not yet exist. When you do this, the 
LAN Manager screen prompts you for permissions for the new queue. 
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You may want to change permissions for a resource under the following 
circumstances: 

• When you want to stop using the default permissions for the resource. 

• When you want to assign, change, or delete permissions for a user or group. 



Changing Print, Comm, and IPC Permissions 

1 . Select the Accounts menu and choose the Other permissions menu item. 

The Other Access Permissions dialog box appears. 

2 . In the list box, select the resource whose permissions you want to change and 
choose the Change command button. 

The Change Permissions dialog box appears. 

3 . Choose the Set explicit permissions option button. 

If you want to use default permissions, choose the Use default permissions 
option button and do not change permissions in this dialog box. 



NOTE: The \comm, \pipe, and \print resources must always have explicit 
permissions, since they represent the defaults for other resources. 



• If you want to remove the current permissions and start from scratch, 
choose the Clear permissions command button. 

4 . Mark or unmark the following check box as needed: 

• Audit this resource-If you want to keep track of who uses this resource, 
when they use it, and what they do with it, you should mark this check 
box. See Chapter 12: Monitoring and Troubleshooting Server 
Operations, for details on resource auditing. 




8 

8-54 



Managing User-Level 
Security 



5. Use the two list boxes, the permission option buttons, and the Move 
command button to specify the permissions for each user and group. 

• To add a user or group to the Permitted list box, choose that useraame or 
groupname in the Not permitted list box and select the Move command 
button. The user or group moves to the Permitted list box. Each resource 
can have up to 64 entries in the Permitted list box. 



NOTE: If the permission option button is set to No when you move a user name 
into the Permitted list box, then what you are in effect doing is stipulating that that 
user cannot use the resource, regardless of whatever groups that individual may 
belong to. 



♦ To remove a user or group from the Permitted list box, select that 
username or group name and choose the Move command button. 

• To change the permissions for a user or group in the Permitted list box, 
select that user name or group name and select one of the permission 
option buttons. 



6 . Choose the OK command button. 
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Example 

Mary has set up a spooled printer queue laser on the mis server. She now wants to 
give the accounting group Y permission for this queue. 

From the LAN Manager screen, Mary selects the Accounts menu and chooses the 
Other permissions menu item. In the Other Access Permissions dialog box, she 
selects ^rintMaser in the list box and chooses the Change command button. 

In the Change Permissions dialog box, she selects the Y option button and then 
moves the accounting group from the Not permitted list box to the Permitted list 
box. Since this is the only permission she wants to allow, Mary finishes by 
choosing the OK command button. She is now ready to share the laser spooled 
printer queue. 



Using NET ACCESS to Change Other Resources 

For information on how to use the NET ACCESS command to change and remove 
user and resource permissions or audit a resource, refer to "Using NET ACCESS 
to Manage Network Permissions" earlier in this chapter. 
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Chapter 9: Managing Share-Level 
Security 

This chapter describes share-level security, an alternative to user-level security. 
Share-level security controls access on a per-resource basis, rather than on a per- 
user basis as with user-level security. See Chapter 8: Managing User-Level 
Security, for definitions of the two types of security. 



Share-Level Security 

Under share-level security, you assign a password and a single set of permissions 
to each resource that you share on a server. Anyone who knows the password can 
use that resource, within the limits of the permissions. 

If you don't know what security level your server is running, look for the 
following line in the LAN Manager screen: 

Server operating in share security mode. 

Figure 9-1 shows what happens when a user tries to access a resource shared by a 
share-level server. 
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Figure 9-1. Access Under Share-Level Security 



Passwords 

Under user-level security, a user needs to know only one password in order to 
access resources on a server, that password is part of his or her user account. Once 
the server verifies the password, it will not ask for it again. 

Share-level servers do not maintain user accounts. If the password supplied by the 
user matches the password for the resource, access is granted. The user may have 
to supply a different password for each resource. You cannot change a password 
without deleting the sharename and reestablishing it with a different password. 

A user at a netstation does not need to know, and may in fact not be able to tell, if a 
server is running user-level or share-level security. Under either security method, 
you provide a user name and password when you log on to the local area network. 
The user issues the same commands to request access to the server, and the server 
responds in the same way. 
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Permissions 

Under share-level security, when you share a disk resource you assign a set of 
access permissions for that resource. Share-level security grants that same set of 
permissions to each user who knows the password for the resource. The meaning 
of most of the disk resource permissions (RWCDXA) is the same as for user-level 
security. There are certain differences, however. Under share-level security: 

• All users have the same set of permissions. 

• The P permission, which means "Change permissions" in user-level security, 
means "administrators only" in share-level security. See the following section 
for a discussion of administration and the P permission. 

• The server does not keep permanent records of permissions; you must specify 
permissions each time you share a resource. 

Under user-level security, permissions are a permanent (yet alterable) aspect of a 
resource, meaning that they persist whether you are sharing the resource or not. 
The access control database keeps track of permissions for all resources. 

Share-level security doesn't use an access control database. Each sharing of a 
resource is an independent event; the permissions assigned are effective only until 
you stop sharing the resource. 



How LAN Manager Determines Access 

Share-level servers evaluate user requests for access to a resource in this order: 

• Is the P permission set for this resource? If not, then continue to the next 
check. The P permission ("administrators only" in share-level security) 
overrides all other permissions and passwords. 

• Does the user's password match the resource's? If so, then continue to the next 
check. If not, prompt once for a different password. If this one doesn't match, 
deny access to the resource. 
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• Do the share permissions allow the requested activity? If so, grant the request. 
If not, deny access to the resource. 

As under user-level security, MS OS/2 physical file attributes (R: Read Only, H: 
Hidden, S: System, and A: Change Attributes) co-exist with LAN Manager 
permissions. Access must be granted by both MS OS/2 and by LAN Manager. For 
example, if a file in a shared directory has the LAN Manager W permission but also 
the OS/2 R attribute, the user cannot write to the file. 



Administrators 

Under user-level security, an administrator is anyone with the admin privilege level. 
Share-level security does not recognize the concept of privileges. 

Under share-level security, an administrator is anyone who is using the ADMIN$ 
special administrative resource. This is not automatically shared under share-level 
security, and so you must deliberately share it and assign a password if you want to 
allow administrative access to your server. See the "Sharing the Special 
Administrative Resources" section later in this chapter for details on how to share 
the ADMIN$ resource. 

A user must explicitly use the ADMINS resource, supplying the proper password, 
before administrating your server. For example, if Mary sets the password "passl" 
for ADMINS on the mis server, a user would have to type the following command 
before administrating the mis server: 

net use \\mis\ admin $ passl 

Do not share the ADMINS resource without a password, since this would allow 
any user to be an administrator on the server. 

An administrator can use resources that have the P permission and issue LAN 
Manager commands on the server (see Chapter 11: Administrating a Network 
Server). 
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Setting Up Share-Level Security 

In this section, you will learn how to prepare your server for share-level security. 
You need to do this if you want to control access to resources on a per-resource 
basis. 



Checklist for Share-Level Security 

The following checklist summarizes what you must do in order to make share-level 
security work on your server: 

1 . Set the security= entry in the LANMAN.INI file to "share." 

2. Share a set of resources, defining a password for each resource and 
permissions for each disk resource. 

3 . Share the special administrative resources IPC$ and ADMIN$ as necessary. 
The following sections describe each of these steps in detail. 



Defining the Security= Entry 

You can define the security= entry in the LANMAN.INI file to enable share-level 
security. 

• By using the 3+Open LAN Manager installation program, netsetup. When 
prompted for the security type, answer "share". 
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• By editing the LANMAN.INI file. Find the security^ entry and edit the line to 
read: 

security=share 

See the 3+Open Network System Guide for details on this and other 
LANMAN.INI entries. 

After defining the security= entry, you must stop and restart the LAN Manager 
Server service to make the change effective. See Chapter 2: Starting and Using 
LAN Manager Services, for details on starting and stopping services. 



Sharing Resources 

For each resource that you share, you may define a password and a set of 
permissions. 

For a user to be able to access a resource: 

• The user must know the password for the resource, if you have set one. 

• The action that the user wants to take must be allowed by the assigned 
permissions. 



Sharing the Special Administrative Resources 

LAN Manager sets up some special shared resources every time you start the 
server. The sharenames of these resources end in a dollar sign ($), identifying 
them as special administrative resources. In share-level security they are accessible 
only if you decide to share them. 
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Two resources require special handling under share-level security: 

• IPC$ is for interprocess communication (IPC). Without this shared resource, 
users cannot look at ("view") resources on the server, though they can use a 
resource if they already know its sharename. If you want to make the Netrun 
service available on the server, you must share this resource. 

• ADMIN$ is for network administration of the server. If you want to allow 
administration of this server from another computer, you must share this 
resource. 

You may want to share the IPC$ resource with no password, since this allows all 
users to see resources on the server and run shared programs. The password for 
IPC$, however, is the only security for shared programs, so you may want to 
assign a password if this security is important to you. 

See the "Administrators" section earlier in this chapter for a further description of 
the ADMINS resource. See Chapter 3: Managing Shared Resources for 
instructions on how to share these and other resources. 



NOTE: Do not assign the P permission to the ADMIN$ resource. The P 
permission means "administrators only," and you cannot be an administrator until 
you use this resource. Therefore, no one can remotely administrate this server if 
the ADMINS resource has the P permission. 
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Dealing With Resources 

A resource is anything you can share with LAN Manager. The following sections 
provide detailed procedures for three tasks: 

• Looking at passwords and permissions. 

• Changing permissions. 

• Changing passwords. 

See Chapter 3: Managing Shared Resources for information about how to share 
resources. 



Looking at Passwords and Permissions 

When you share resources under share-level security, you must assign a password 
and a set of permissions to each resource. You may need to check the passwords 
or permissions under the following circumstances: 

• When someone who should have access to a resource can't use it. 

• When you have forgotten the passwords or permissions for a resource and need 
to look them up. 

• When you want to change a password or the permissions for a resource. 
To look at the password and permissions for a resource, follow these steps: 

1 . Select the view menu and choose the This server menu item. 

The Resources This Server Is Sharing With the Network dialog box appears. 

2 . Select the resource you want to examine from the list box. 
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3 . Choose the Zoom command button. 

The Shared Resource Information dialog box appears. The password for this 
shared resource is in the Password display field. The permissions are in the 
Permissions display field. 

If the Password display field of the Shared Resource Information dialog box 
is empty, then there is no password on this resource, which means that: 

• If the P permission is set, only administrators can access the resource. 

• If the P permission is not set, anyone can access the resource (subject to 
the other permissions). 

Example 

Mike Greenbaum runs MacroCorp's print! server, located in the second-floor 
printer room, as a share-level server. Mike prefers the simplicity of share-level 
security, where he doesn't have to keep track of user names or group names or 
individual access permissions. The print! server shares six printers and several 
directories with the local area network. 

Jenny Tibbett, Executive Vice-President of Finance, sends a message to Mike 
saying that she is unable to write a file to the \\Print2\Scratch directory (a large 
shared directory intended for general-purpose use). Mike suspects that he forgot to 
include the W permission when he shared the directory that morning. 

In the LAN Manager screen at print2, Mike selects the view menu and chooses the 
This server menu item. In the Resources This Server Is Sharing With the Network 
dialog box, he selects scratch and chooses the Zoom command button. 

In the Shared Resource Information dialog box, Mike sees that the permission set 
for scratch is RCD AX; he did indeed forget to specify W permission. In the next 
section, you will see how he corrects his error. 
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Using NET SHARE to View Resource Permissions 

You cannot look at resource passwords from the OS/2 prompt. However, to look 
at resource permissions, use the NET SHARE command with the following option: 

net share sharename 

sharenome is the resource you want to examine. 



Changing Permissions 

Passwords and permissions control access to resources. You may want to change 
permissions for a resource under the following circumstances: 

• When you restrict or expand what users can do with the resource. 

• When you want to set or remove the P permission, closing off or allowing 
access to the resource. 

You can only change permissions on a resource that is being shared. If a resource 
is not being shared, it has no permissions for you to change. 



Using NET SHARE to Change Permissions 

You cannot change permissions from the LAN Manager screen. Use the NET 
SHARE command with the following options: 

net share sharename perm: permissions 

sharenome names the shared resource. 

perm: tells LAN Manager to change permissions. 

permissions specifies the permission set for this resource (any combination of 
RWCDXAP). 
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Changing Passwords 

Passwords and permissions control access to resources. You may need to change a 
password for security reasons. 

To change the password for a resource, you must stop sharing the resource and 
then reshare it with the new password. You cannot change the password when the 
resource is being shared. 

1 . Make a note of the current password and permissions for the shared resource 
that you want to change. 

Refer to the procedure in the "Looking at Passwords and Permissions" 
section. 

2 . Select the view menu and choose the This server menu item. 

3 . In the Resources This Server Is Sharing With the Network dialog box, select 
the resource you want to change from the list box. 

4 . Choose the Delete command button. 

The Stop Sharing a Network Resource dialog box appears. 

5 . Choose the OK button to delete the shared resource. 

You now see the Resources This Server Is Sharing With the Network dialog 
box again, 

6 . Choose the Add share command button. 

The What would you like to share? dialog box appears. 
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7 . Select the option button for the type of resource you want to share and choose 
the OK command button. 

A dialog box appropriate to that resource type appears. In this dialog box, 
type the sharename for the resource in the Sharename text box and the desired 
password in the Password text box. (You'll probably want to use the same 
sharename as last time.) 

8 . For a disk device, move to the column of option buttons labeled Permissions 
and mark the check boxes for the permissions that you want 

The Admin only check box is the P permission. 

9 . Choose the OK command button. 
Example 

Mike wants to change the password and permissions for the \\Print2\Scratch 
directory. He wants to add the W permission and to remove the X and A 
permissions. 

Mike selects the view menu and chooses the This server menu item. In the 
Resources This Server Is Sharing With the Network dialog box, he selects scratch 
from the list box and chooses the Delete command button. When he chooses the 
OK command button in the confirmation dialog box, the Resources This Server Is 
Sharing With the Network dialog box reappears; Mike can see that scratch is gone. 

Mike proceeds to choose the Add share command button. In the What would you 
like to share? dialog box, he selects the Disk directory option button and chooses 
the OK command button. The Share a Disk Directory dialog box appears. 

Mike types the same sharename, path, and remark for this resource as last time. In 
the Password text box, he types the new password. Moving to the Permissions 
option buttons, he selects the Read, Write, Create, and Delete option buttons and 
chooses the OK command button. The\\Print2\Scratch directory is shared again, 
but with a different password and set of permissions. 
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Using NET SHARE to Change Passwords 

1 . To change the password for a shared resource, first delete the existing 
sharename. 

Use the NET SHARE command with the following options: 
net share sharename /delete 

sharename specifies the shared resource. 

/delete is the option that tells LAN Manager to stop sharing the resource. 

2 . Recreate the sharename, but with the changed password. 

Use the NET SHARE command with the following options for disk 
resources: 

net share sharename=pathname [password] permipermissions. 

sharename is the sharename you want to assign to the resource. 

pathname is the pathname of the resource. 

password is the password you want to use (if any). 

permissions is the permission set for this resource (any combination of 
RWCDXAP). 

See the 3+ Open MS OS/2 LAN Manager User Reference for the equivalent 
commands for spooled printer queues, communication device queues, or IPC 
resources. 
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Chapter 10: Managing Logon Security 

The previous two chapters dealt with access to specific servers and resources; this 
chapter covers the wider concept of access to the local area network itself. Logon 
security is LAN Manager's way of controlling access to a local area network. 



Logon Security 

Logon security provides a measure of control over who can use the local area 
network, and allows administrators to tailor the working environments of individual 
users. 

If you do not choose to install logon security, resources are still protected by user- 
level or share-level security. 



NOTE: DOS netstations are not subject to logon security. Logon security applies 
only to MS OS/2 LAN Manager OS/2 netstations. 
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Logon security is not enabled on the LAN Manager distribution disks. If you want 
to use logon security, you must choose one of the following: 

• Centralized logon security. 

• Distributed logon security. 

The following sections describe these two alternatives, as well as the concept of 
scripts, which are essentially batch files that you can have LAN Manager run 
whenever a user logs on. 

If you are using the Entry-Level LAN Manager product, the local area network has 
only one server. Centralized logon security is the simplest choice in this case. 



Centralized Logon Security 

Under centralized logon security, you designate one server as the central validator 
of users. When someone tries to log on to the local area network, this server 
checks their user name and password and either grants or denies them access to the 
local area network. 



Advantages of Centralized Logon Security 

Centralized logon security is best for small local area networks or for local area 
networks centered around a single server. Centralized logon security has the 
following advantages: 

• The administrator only has to deal with one server in maintaining a central 
account database. Other servers may have their own account databases, but the 
central server is a gateway through which all users must pass. This can make 
an administrator's job much easier. 

• By changing a user's account on the central server, you can affect that user's 
access to the entire local area network. 
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• For local area networks made up of share-level servers, a central server can 
serve as the sole method of controlling access to resources by user name. 

• The response a user receives when logging on won't vary according to which 
server validates the request. 

• Centralized logon security spans an entire local area network regardless of LAN 
groups. 



Disadvantages of Centralized Logon Security 

Centralized logon security also has the following drawbacks: 

• The central server must maintain accounts for all valid users. 

• The central server bears the burden of processing all requests to log on. This 
can affect the general performance of the server. 

• A user can specify any LAN group when logging on. 

• If the central server is not running, no one can log on. 

To ran centralized logon security, you should have a server that can be running 
during all hours when you want to allow access to the local area network. See the 
"Managing Centralized Logon Security" section later in this chapter for details on 
how to run centralized logon security. 



Distributed Logon Security 

Under distributed logon security, you divide the responsibility for validating users 
among multiple servers. When a user tries to log on to the local area network, the 
logon request can go out simultaneously to all servers in the LAN group (defined 
by the langroup= entry in the LANMAN.INI file). Any server running the proper 
software can evaluate the user name and password, with the following results: 
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• If a server recognizes the user name and password as valid, it responds to the 
logon request as if it were a central server. 

• If a server does not recognize the user name and password, it does not respond. 
If no server responds to the logon request, the user cannot log on. 



Advantages of Distributed Logon Security 

Distributed logon security is best for large local area networks or for local area 
networks that divide well into clusters of users and computers. Distributed logon 
security has the following advantages: 

• Each server maintains accounts only for valid users of that server. You don't 
need to maintain duplicate user accounts on a central server and on the server 
where a user normally works. 

• No one server bears the burden of processing all logon requests. 

• If one server is not running, users may still be able to log on through other 
servers. 

• A user can only log on in a LAN group where a server can validate the logon 
request. 



Disadvantages of Distributed Logon Security 

Distributed logon security has the following drawbacks: 

• The administrator has to deal with more than one server in maintaining a 
consistent account database. 

• The administrator may have to change a user's account on several servers in 
order to affect the user's access to the entire local area network. 

• A user can get inconsistent responses when logging on, if servers with different 
accounts for that user are both validating logon requests. 



Managing Logon 
Security 




10-5 



In order to run distributed logon security, you should have more than one server 
acting as a logon validator, and you must have an account on at least one of those 
servers for each user of the local area network. See the "Managing Distributed 
Logon Security" section later in this chapter for details on how to run distributed 
logon security. 



Setting Up Logon Security 

In this section you will learn how to prepare your local area network for logon 
security. You need to do this if you want to control access to the local area network 
or if you want to run scripts on users' computers when they log on. This section 
applies to both centralized and distributed logon security. 



Checklist for Logon Security 

The following checklist summarizes what you must do in order to make logon 
security work on your local area network: 

1 . Set the centralized= entry in the LANMAN.INI file to the appropriate value 
(yes or no). 

2. Set up user-level security on each server that is to be a logon validator (one 
server for centralized logon security, more than one server for distributed 
logon security). 

3 . Start the Netlogon service on each server that is to be a logon validator. 

4. Prepare all other computers (netstations and other servers) for logon security. 

5 . Maintain logon security by keeping track of user accounts, properly installing 
new servers, and providing scripts. 

The following sections describe each of these activities in detail. 
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Defining the Central ized= Entry 

Your first decision is whether to run centralized logon security or distributed logon 
security. The centralized= entry in the LANMAN.INI file defines the logon 
security method. Individual procedures later in this chapter describe how to set this 
entry and what its effects are. 

You should set this entry on every server on the local area network, even those that 
will not be logon validators, to reflect your choice of either centralized or distributed 
logon security. You may decide later to run a different (or additional) server as a 
logon validator, and you need to be sure that all servers agree on the method of 
logon security. 



Setting Up User-Level Security 

Logon security involves checking user names and passwords. Only a user-level 
server has access to this information — a share-level server does not know about 
user names and passwords. Any server that validates logon requests must therefore 
be running user-level security. 

See Chapter 8: Managing User-Level Security, for instructions on how to set up 
user-level security. 



Starting the Netlogon Service 

Logon security is a LAN Manager service. Each server that is to validate logon 
requests must be running the Netlogon service. Netstations and other servers do 
not need to run this service. 

You should set up LANMAN.INI to start the Netlogon service automatically 
whenever you start the server. See Chapter 2: Starting and Using LAN Manager 
Services, for instructions on starting the Netlogon service. 
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Preparing Other Computers 

So far, you have prepared the servers that are to be logon validators. You must 
also prepare all other computers (netstations and other servers) on the local area 
network to work under logon security. 

Users can actually decide whether they want to participate in logon security. They 
can do this either by setting an entry in the LANMAN.INI file or by using a switch 
with the NET START command. You can make this decision for them by editing 
the logonserver= entry in the LANMAN.INI file on all computers. 

Procedures throughout the rest of this chapter explain different options for the 
logonserver= entry in the LANMAN.INI file. There are many possible values for 
this entry; see the appropriate procedures later in this chapter. 



Maintaining Logon Security 

After setting up logon security, there are three things you must do to keep it running 
in good order: 

• Maintain the user accounts on servers that are to function as logon validators. 
The central server in centralized logon security must have an account for every 
possible user, and each account must have logon validation enabled. Under 
distributed logon security, you must ensure that every possible user has an 
account on at least one of the logon servers, and that at least one of these 
accounts has logon validation enabled. 

• Maintain consistency across the local area network. All servers must agree on 
the method of logon security (centralized or distributed), so you must make sure 
that each new server is in line with others on the network. 

• Maintain user scripts. If you use scripts, you must continue to make sure that 
they reflect the realities of your local area network and the needs of its users. 

The remaining sections in this chapter provide procedures that you can use to set up 
and maintain logon security. 
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Managing Centralized Logon Security 

Centralized logon security is one server validating all logon requests on the local 
area network. 

The following sections provide detailed procedures for three tasks: 

• Setting up the central server. 

• Setting up other servers. 

• Setting up netstations. 



Setting Up the Central Server 

If you have decided to use centralized logon security on your local area network, 
and have chosen a server to use as the central logon validator, then you are ready to 
start setting up the server. 

1 . If the server you have selected is already running the Netlogon service, you 
must first stop this service. 

At the OS/2 prompt, type: 

net stop netlogon 

2 . You must also stop any other network server running the Netlogon service. 

3 . Edit the srvservices= entry in the server's LANMAN.INI file to add the 
Netlogon service to the list of services that automatically start with the Server 
service. 

See Chapter 2: Starting and Using LAN Manager Services for more 
information on starting services. 
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4 . Edit the centralized= entry in the LANM AN JNI file to read: 
cent rail zed-yes 

Only one server at a time can be the central logon validator. When you set the 
centralized= entry to yes, you ensure that only one server can start the 
Netlogon service. No other server that tries to start the Netlogon service will 
be able to. 

5 . Make sure that the server is running user-level security. 

Make sure that the security= entry in the LANMAN.INI file reads: 
security=user 

See Chapter 8: Managing User-Level Security for details on setting up user- 
level security. 

6 . Edit the Iogonserver= entry in the LANMAN JNI file to read: 

logonserver= \ \ computer name 

computernome names this server. 

No one can log on to the local area network until you have started the Server 
and Netlogon services at the central logon server. 

You are now finished editing the LANMAN.INI file. 

7 . For each account that you want to be validated by this server, mark the Use 
script check box in the Change User Account dialog box. 

If you do not mark this check box for an account, that user will not be able to 
log on to the local area network. See Chapter 8: Managing User-Level 
Security for details on how to change user accounts and on exactly what the 
Use script check box does. 
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8 . Type the following command at the OS/2 prompt: 
net start netlogon 

You can also simply restart the server. 

This server is now running as the central logon validator for the local area network. 
Now you need to set up all of the other computers on the local area network to run 
under centralized logon security. If you want to provide scripts for users, see 
"Managing Scripts" later in this chapter. 

Example 

Ben Preston, the manager of Human Resources for MacroCorp, has the job of 
setting up and maintaining accounts for people when they join the company. Since 
he doesn't like to keep track of accounts on a lot of different servers, he decides to 
set up the local area network with centralized logon security. He can then maintain 
accounts on one server while other administrators can keep accounts straight on the 
other servers. 

Ben decides to set up the hwnanr server as the central logon validator for all of 
MacroCorp. This server is already a user-level server, and it already has an account 
for every valid user of the MacroCorp local area network. 

Sitting at the hwnanr keyboard in his office, Ben checks the other servers in the 
building to see if any of them are running the Netlogon service. Seeing that the 
printl server is running this service, he stops the Netlogon service on printl by 
typing: 

net admin Wprintl /c net stop netlogon 

(See Chapter 11: Administrating a Network Server for more information on how to 
issue commands that affect other servers.) 
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Ben now must edit the LANMAN.INI file on humanr. There are three lines in the 
file that he must change; they must look like this: 

logonserver= \\humanr 

srvservices= spooler , alerter, net logon 
cent rail zed-yes 

In the LAN Manager screen, Ben selects the Accounts menu and chooses the 
Users/groups menu item. The Users/Groups dialog box appears. 

In the Users/Groups dialog box, he moves into the Users list box. Choosing each 
account in turn, Ben selects the Zoom command button and marks the Use script 
check box for that account. This enables logon validation for each account. 

Finally, Ben types the following at the OS/2 prompt: 

net start netlogon 

The humanr server is now running as a central logon validator. Next, Ben must 
prepare the other servers on the local area network for centralized logon security. 



Setting Up Other Servers 

Your purpose in preparing the other servers is to ensure that they will not interfere 
with the function of the central server. In addition, these servers must themselves 
be made subject to logon validation by the central server. 

To set up the servers on your local area network for centralized logon security, 
make the following changes to each server's LANMAN.INI file (except the central 
server, which you've already prepared): 

1 . Find the srvservices= entry; if the Netlogon service is listed, remove it. 

2 . Edit the logonserver= entry to read: 



logons erver= 



Wcomputername 
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computername names the central server. 

Every computer on the local area network should have this line in the 
LANMAN.INI file. 

3 . (Optional). Edit the LANMAN.INI file on the LAN Manager server 
distribution disks to reflect these changes . 

This ensures that any server installed from these disks is properly prepared 
for centralized logon security. 

You have now prepared all of the servers for centralized logon security. 
Continue to the next section to prepare the netstations. 

Example 

Ben has set up humanr as the centralized logon validation server for MacroCorp's 
local area network. He must now prepare all other servers to work under 
centralized logon security. 

Moving to each of the four other servers in turn, Ben edits their LANMAN.INI 
files to create the following lines (in their appropriate places): 

logonserver=\ \ humanr 
srvservices=spooler, alerter 

Now he can be sure that no other server will interfere with the logon validation 
server. 

Next, Ben must prepare all of the netstations on the local area network to work 
under centralized logon security. 




Setting Up Netstations 

Your purpose in preparing the netstations is to ensure that they will send logon 
requests to the central server. 
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If it is impractical for you to set up all of the individual netstations on the local area 
network yourself, you can send instructions to the users of the netstations so that 
they can make the necessary change themselves. 

To set up netstations under centralized logon security, make the following change to 
each netstation's LANMAN.INI file: 

1 . Edit the logonserver= entry to read: 

logonserver=\ \computername 

computername names the central server. 

2 . Every computer on the local area network should have this line in its 
LANMAN.INI file. 

If you want, you can edit the LANMAN.INI file on the LAN Manager netstation 
distribution disks to reflect these changes. This ensures that any netstation installed 
from these disks is properly prepared for centralized logon security. 

You have now prepared all of the computers on the local area network for 
centralized logon security. If you want, you can now create scripts for users; see 
the "Managing Scripts" section later in this chapter for details on how to make and 
use scripts. 

Example 

Ben has set up hwnanr as the central server for the MacroCorp local area network. 
Due to the size of the local area network, it would be very difficult for him to 
prepare all of the netstations himself. 

Ben sends out a memo to all users of the local area network, telling them to edit the 
logonserver= entry of their LANMAN.INI files to read: 



logons e rve r= \ \ human r 




Managing Logon 
Security 



10-14 



He also sends a broadcast message, using the Message menu in the LAN Manager 
screen. Finally, he edits the LANMAN.INI file on MacroCorp's master LAN 
Manager netstation distribution disks, ensuring that future netstation installations 
will have the proper setup. 

This concludes Ben's preparations for logon security. Other administrators may 
choose to set up scripts on hwnanr for individual users; Ben is only concerned with 
logon validation. 



Managing Distributed Logon Security 

Under distributed logon security, more than one server on the local area network 
validates logon requests. 

The following sections provide detailed procedures for two tasks: 

• Setting up servers. 

• Setting up netstations. 



Setting Up Servers 

If you have decided to use distributed logon security on your local area network, 
and have identified the servers that you want to use as logon validators, then you 
are ready to start setting up the servers. Before you do, though, make sure that the 
servers you have selected to perform logon validation are running user-level 
security. 

To set up the servers on your local area network for distributed logon security, 
make the following changes to each server's LANMAN.INI file: 

1 . For servers to be logon validators, edit the srvservices= entry to add the 

Netlogon service to the list of services that automatically start with the server 
service. 
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2 . Change the centralized= entry to read: 

cent ralized=no 

3 . Set the Iogonserver= entry according to the following guidelines: 

• If you want another specific server to validate logon requests for this 
server, set the logonserver= entry to read: 

logons e rver= \ \ compute rname 

where: computerncune is a server that can perform logon validation. 

• If you want the server to broadcast a message to the local area network 
requesting validation from any other server, set the logonserver= entry to 
read: 

logonserver=\\* 



Enabling Logon Account Validation 

You must enable logon validation for each user's account on at least one of the 
distributed logon validators. Enable logon validation for a user's account only on 
the server or servers that you want to respond. All other servers will ignore logon 
requests from that user. 



1 . In the LAN Manager screen, select the Accounts menu and choose the 
Users/groups menu item. 

The Users/Groups dialog box appears. 

2 . In the Users list box, choose the account for which you want to enable logon 
validation. 

3 . Choose the Zoom command button. 

The Change User Account dialog box appears: 
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4 . Mark the Use script check box. This enables logon validation for the account. 

You have now set up the servers on your local area network to run distributed 
logon security. If you want, you can edit the LANMAN.INI file on the LAN 
Manager server distribution disks to reflect these changes. This would ensure that 
any server installed from these disks is properly configured for distributed logon 
security. 

If you want to specify a script for this account, see the "Managing Scripts" section 
later in this chapter. 

Example 

Ben Preston, the manager of Human Resources for MacroCorp, has the job of 
setting up and maintaining accounts for people when they join the company. Since 
the netstations at MacroCorp cluster naturally around three servers, Ben decides to 
set up the local area network with distributed logon security. He can then leave to 
other administrators the job of maintaining accounts on each server. 

The three servers that will be logon validators are already running user-level 
security. Ben edits the LANMAN.INI file on each of these three servers. There 
are three lines in the file that he must change; this is what he changes them to: 

logonserver= \\* 

srvservices= spooler, alerter, net logon 
cent rail zed=no 

In the LAN Manager screen of each server in turn, Ben selects the Accounts menu 
and chooses the Users/groups menu item. In the Users/Groups dialog box, he 
moves into the Users list box. For each account that he wants this server to 
validate, Ben chooses the Zoom command button and marks the Use Script check 
box for that account. This enables logon validation for these accounts. 

Finally, Ben types the following on each server at the OS/2 prompt: 




net start netlogon 
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The three servers are now running as distributed logon validators. To prepare the 
other servers on the local area network, Ben edits the LANMAN.INI file of each 
server. There are two lines in the file that he must change; this is what they must 
look like: 

logonserver= \\* 
cent rail zed=no 

Next, Ben must prepare the netstations on the local area network for distributed 
logon security. 



Setting Up Netstations 

Your purpose in preparing the netstations is to ensure that they will send logon 
requests to the appropriate logon validator servers. 

If it is impractical for you to set up all of the individual netstations on the local area 
network yourself, you can send instructions to the users of the netstations so that 
they can make the necessary change themselves. 

To set up netstations under distributed logon security, make the following change to 
each netstation's LANMAN.INI file: 

1 . Set the Iogonserver= entry according to the following guidelines: 

• If you want a specific server to validate logon requests from this 
netstation, set the logonserver= entry to read: 

logons e rve r= \ \ compu tern ame 

where: computername is the computer name of the server that you want to 
validate logon requests for this netstation. If the user of this netstation 
does not have an account on that server, or if logon validation is disabled 
for the account at that server, the user cannot log on to the local area 
network. 




Managing Logon 
Security 



10-18 



• If you want the netstation to broadcast logon requests to all available 
servers, set the logonserver= entry to read: 

logonserver=\\* 

Any logon validator server with an enabled account for the requesting user 
can respond. 

2 . (Optional) If you want, you can edit the LANMAN.INI file on the LAN 
Manager netstation distribution disks to reflect these changes. 

This ensures that all netstations installed from these disks are properly 
prepared for distributed logon security. 

You have now prepared all of the computers on the local area network for 
distributed logon security. If you want, you can now create scripts for users; 
see the "Managing Scripts" section later in this chapter for details on how to 
make and use scripts. 

Example 

Ben has set up three servers as distributed logon validators for the MacroCorp local 
area network. Due to the size of the local area network, it would be very difficult 
for him to prepare all of the netstations himself. 

Ben sends out a memo to all users of the local area network, telling them to edit the 
logonserver= entry of their LANMAN.INI files to read: 

logonserver=\\* 

Finally, he edits the LANMAN.INI file on MacroCorp's master LAN Manager 
netstation distribution disks, ensuring that future netstations will have the proper 
setup. 

This concludes Ben's preparations for logon security. Other administrators may 
choose to set up scripts on their logon validator servers for individual users; Ben is 
only concerned with logon validation. 
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Managing Scripts 

Under either centralized and distributed logon security method, a server must 
validate each logon request. You can arrange it so that when a server recognizes a 
valid user name and password, it sends a set of commands to run on the requesting 
computer. This set of commands is known as a script. 

Scripts are entirely optional. You can use no scripts at all, use scripts only for 
certain users, or use scripts for all users. 

A script ordinarily contains some LAN Manager commands that set up basic 
connections in the local area network. For example, if most users need to access 
the WMis^Data directory every time they log on, a script can establish this connection 
automatically every time someone logs on to the local area network. 

A script can also contain OS/2 commands that provide information or prepare the 
user's computer for LAN Manager operations. For example, a script could print a 
message on the user's screen about what resources are available on the local area 
network. 

There are two ways you can use scripts: 

• You can create a general script that gives everyone on the local area network the 
same basic setup. This approach is best for local area networks where most 
users have the same resource needs. 

• You can create scripts tailored to the needs of individual users. For instance, 
you could create one script for novice users and another for advanced users, or 
you could create special scripts for individual users. This approach is best for 
local area networks with a wide variety of different types of users. 

The following sections provide detailed procedures for two tasks: 

• Using scripts. 



• Creating scripts. 
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Using Scripts 

Under logon security, you must enable logon validation for individual user 
accounts on at least one server. In the LAN Manager screen, this means marking 
the Use script check box in the Change User Account dialog box. When you do 
this, you have two choices in regard to scripts: 

• Leave the Script text box blank if you don't want a script to run when this user 
logs on. 

• Type the pathname of a script in the Script text box if you do want a script to 
run when this user logs on. 

You should keep scripts in the 3open\Users directory. The LAN Manager screen 
expects all pathnames for scripts to be relative to 3open\Users , either in the Scripts 
subdirectory or in the individual home directories of users. You can change the 
location or name of the 3open\Users directory by changing the userpath= entry in 
the LANMAN.INI file. 

When you start the Netlogon service, it automatically shares the Userdirs directory 
(whatever its name) with the sharename users. Do not delete this sharename; it 
gives users access to their home directories. 

LAN Manager provides one default script, scripts\netlogon.cmd. This script 
performs the following actions in response to a logon request: 

• It displays the name of the server that is validating the logon request. If you 
don't supply this information with a script, the user cannot be certain which 
server has responded to the logon request. 

• It establishes a connection to the user's home directory on the server, if there is 
one. 

Example 

Ben has set up a user account for John O'Clare (johnoc) on the humanr server. 
Ben now wants to enable logon validation for the johnoc account. 
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In the LAN Manager screen, Ben selects the Accounts menu and chooses the 
Users/groups menu item. In the Users/Groups dialog box, he moves to the 
Username list box and selects johnoc. He then chooses the Zoom command 
button. 

In the Change User Account dialog box, Ben notes that the Use script check box is 
marked, showing that this server will validate johnoc's logon requests. Ben moves 
to the Script text box and types the name of the default script, scripts\netlogon.cmd. 



Creating Scripts 

You can create your own LAN Manager scripts if you choose not to use the default 
netlogon.cmd script. You can create any of three kinds of scripts: 

• Batch files. 

• Programs (executable files). 

• LAN Manager profiles. 

You should keep all scripts in the 3open\Users\Scripts directory. 



Batch Files 

When you create a batch file as a LAN Manager script, you can put any OS/2, 
DOS, or LAN Manager commands in it, with the following restrictions: 

• Do not use the NET LOGOFF command inside a script. There is no way to 
stop a logon request from inside a script. 

• Errors that occur during the running of the logon script do not stop the logon 
procedure. The user receives an error message and the logon continues. 

DOS batch files are for DOS LAN Manager Enhanced netstations. Be careful about 
assigning the correct type of batch file for the operating system that the user is likely 
to be using. 
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You can use the following variables as shown Table 10-1 in a batch file script: 



Table 10-1. DOS Batch File Variables 



Variable 


Meaning 


%1 


The user name of the user requesting logon validation. 


%2 


The computer name of the logon validator server. 


%3 


The sharename of the 3open\Users directory. 


%4 


The path of the user's home directory, relative to 3open\Users . 



See the netlogon.cmd script for an idea of how to use these variables. 



For a further description of batch files, see the 3+Open MS OS/2 User Reference. 



Programs 

You can create a DOS or MS OS/2 executable file (program) as a LAN Manager 
script. Use whatever means you like to create the program. The four variables 
available to batch files are also passed to programs. 



LAN Manager Profiles 

This is the easiest way to create scripts. To do this, you just set up a netstation the 
way you want it, take a snapshot of that setup, and use the snapshot as a script. 



NOTE: Do not create profiles for scripts at the server. When you save a server 
profile, you save the NET SHARE commands as well as the NET USE commands 
(or their LAN Manager screen equivalents). Such a profile will not load correctly 
on a netstation. 
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Creating a Profile Script 

1 . Create the profile script from a netstation, not a server. 

Ideally, use the netstation on which this script will run. 

2 . In the LAN Manager screen, or with LAN Manager commands, make the 
connections that you want to be in the script. 

If you specify redirected drive letters, use letters that will not conflict with 
netstation devices. For example, some netstations may have a hard drive D:, 
so you may not want to use any letter before E: as a device name in a profile. 

3 . Save a LAN Manager profile with the Config menu's Save Configuration 
dialog box. 

(You can also use the NET SAVE command). 

See the 3+ Open MS OS/2 LAN Manager User Guide for details on how to 
save profiles. 

4 . Move the profile to the Lanman\Accounts\Userdirs\Scripts directory on the 
server. 

5 . Specify the filename of the profile in the Script text box of the Change User 
Account dialog box. 

(You can also use the NET USER /SCRIPT command). 
Example 

Ben wants to create a script for new users that: 

• Uses the WHumanrNPublic directory as the local P: drive. 

• Uses the \\printl\laser spooled printer queue as the local LPT1 : device. 
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Sitting at a netstation, Ben uses the LAN Manager screen to make the desired 
connections. He then selects the Config menu and chooses the Save profile menu 
item. In the Save Configuration dialog box, he types the filename 
NEWUSERS.PRO in the Filename text box and chooses the OK command button 
to create the profile. 

At the OS/2 prompt, Ben copies the newly-created profile to the humanr server with 
the following command (typed all on one line): 

net copy c:\lanman\profiles\newusers.pro 

\ \humanr\c$\lanman\ account s\ use rdirs\ scripts 

Since Ben is an administrator on the humanr server, he can use the special c$ 
resource, representing the C: drive of the server. See Chapter 8: Managing User- 
Level Security for more information about special administrative resources. 

Ben can now use the newusers .pro script when setting up user accounts. 
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Chapter 1 1 : Administering a Network 
Server 

3+Open LAN Manager lets you administer a server from any local area network 
computer. If you have adrninistrative privilege on a number of servers, you can 
manage them all from your office. When you use the LAN Manager screen for 
network administration, you see the same information on your computer's screen 
that you would see if you were working directly at the network server. 

In this chapter, you will learn how to: 

• Start an administrative session with a network server. 

• Perform administrative tasks at a network server. 



Using a Network Server 

You can perform any administrative task on a server from your local server or from 
any computer on the local area network, as long as two conditions are met: 

• You have administrative privilege for the network server. 
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• The server or workstation you are working from must be running MS OS/2 
LAN Manager. 

• ADMIN$ and IPC$ resources must be shared by that server. 

For more information about sharing the ADMIN$ and IPC$ resources, see Chapter 
3: Managing Shared Resources. 



NOTE: The term Remote on the menu screen is used to indicate a network server 
as opposed to a local server. 



Starting a Network Administration Session 

You can control a network server from the LAN Manager screen of any other 
computer on the local area network. To connect to a server, follow these steps: 

1 . Select the View menu and choose the Other server menu item 

The Connect to a Remote Server dialog box appears. This list box shows the 
visible servers in your LAN group. 

2 . From the list box, select the name of the server you want to access or type the 
name of the server in the Visible servers text box. 

3 . Type your password for this server in the Password text box, if it differs 
from the one you used to log on to the local area network. 

If this server is running with share-level security, type the password for the 
server's ADMIN$ resource (if there is one). 
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4 . Choose the OK command button. 

When the Connect to a Remote Server dialog box disappears, the LAN 
Manager screen shows information about the network server instead of your 
local computer. (The computername of the network server appears in the 
Administrating display field in the upper-right corner of the LAN Manager 
screen.) Any tasks that you now perform affect the network server, rather 
than your local computer. 

Example 

Mike Greenbaum wants to perform some administrative tasks on the print2 server 
down the hall. Rather than walk to the print! server, Mike decides to administrate 
the server over the network. From his server, he selects the View menu and 
chooses the Other servers menu item. In the Connect to a Remote Server dialog 
box, Mike types print2 in the Visible servers text box, types his password for this 
server in the Password text box, and chooses the OK command button. When the 
Connect to a Remote Server dialog box disappears, Mike sees that the 
Administrating display field on the LAN Manager screen shows the computer name 
print2. This verifies that anything Mike now does will affect the print2 server 
rather than his own. 



Using NET ADMIN to Administer a Network Server 

To start an administrative session for a network server, use the NET ADMIN 
command with the following options: 

net admin \ \ computername [password"] /command 

^computername is the name of the network server you want to administrate. 

password is your password on the network server. You only need to supply a 
password if your password for the network server is not the same as your 
password for your local server. If the network server is running with share-level 
security, this is the password for the server's ADMIN$ resource. 

/command starts an administrative session in which you can type commands to run 
on the network server. 
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When you use the NET ADMIN command, your prompt automatically changes to 
display the name of the network server. 

Example 

Mary Sullivan wants to do some work on the printl server from her own office. 
On her server, Mary types the following at the OS/2 prompt: 

net admin Wprintl /command 

Mary does not need to specify a password because her password is the same for 
both her local server and the network server printl. 

LAN Manager displays the following message: 

Type Exit or A Z to exit. 

The prompt in Mary's current MS OS/2 session changes to show the name of the 
server Mary is administrating: 

[\\PRINT1] 

All commands Mary types from this point on are interpreted as though they were 
typed directly at the printl server. 

When Mary has finished her work on printl, she types exit to end the network 
administration session. 



Using NET START to Monitor More than One Server 

You can take advantage of MS OS/2's multitasking capabilities to administrate more 
than one network server at a time from your local server. For example, if your 
local area network has three servers, you could create three OS/2 sessions on your 
local computer and monitor a different server in each session. 
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Example 

Mary wants to monitor the status of two network servers, admsvc and print 7, in 
addition to her local server, mis. Here's what she does: 

1 . After starting MS OS/2, Mary starts the netstation and Server services with 
the following command: 

net start server 

2 . At the OS/2 prompt, Mary types the NET ADMIN command to start the LAN 
Manager screen. 

The LAN Manager screen shows information about her local server. The 
Administrating display field shows the name of her local computer: 

ADMINISTRATING : \\MIS 

3 . Next, Mary presses [Control]+[Esc] to display the program selector. 

Mary selects the OS/2 command prompt option from the column labeled Start 
a Program. This starts a new OS/2 session. 

4 . In her second session, Mary types NET ADMIN again. 

This time, when the LAN Manager screen appears, she selects the View menu 
and chooses the Other server menu item. Mary types admsvc in the 
Servername text box of the Connect to a Remote Server dialog box, and then 
selects the OK command button. 

The Administrating display field now shows that she is administering the 
network server: 



ADMINISTRATING: \\ADMSVC 



11 

11-6 



Administering a 
Network Server 



5 . Mary starts a third session, once again starting the LAN Manager screen, 
selecting the View menu, and choosing the Other server menu item. 

This time in the Connect to a Remote Server dialog box, she types \printl in 
the Servername text box and chooses the OK command button to start a 
remote (network) administrative session for the printl server. The 
Administrating display field for this LAN Manager screen looks like this: 

ADMINISTRATING: \\PRINTl 

Now Mary can press [Alt]+[Esc] to switch from one server's session to the next. 
If she forgets which server's information she is viewing, she can check the 
Administrating display field in the upper-right comer of the LAN Manager screen. 



Using NET ADMIN to Start Multiple Network Servers 

You can also start multiple remote (network) administration sessions from the OS/2 
prompt. To do this, start a separate session for each server you want to monitor. 
Then, in each session, use the NET ADMIN command with the following options: 

net admin \ \ computername [password"] /command 

Computername specifies the network server. 

password is your password for the network server. You only need to supply a 
password if your password for the network server is not the same as your 
password on the local server. If the network server is running with share-level 
security, this is the password for the server's ADMIN$ resource. 

/command starts an administrative session in which you can type commands to run 
on the network server. 

Use ihe\vomputername option to specify a different server in each session. 
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Example 

Mary wants to monitor two network servers. To do this, she starts a new OS/2 
session for each of the servers. In the first session, she types: 

net admin \\admsvc /command 

LAN Manager changes the prompt in this session to look like this: 

[\\ADMSVC] 

In the second session, Mary types the following command to start a remote 
(network) administrative session for theWzwmflwr server: 

net admin \\humanr /command 

In this session, the prompt now looks like this: 

[\\HUMANR] 

Mary can now press [Alt]+[Esc] to switch between the sessions for admsvc and 
humanr. Each session's prompt reminds Mary of which server she is working 
with. 
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Running Commands on a Network Server 

Once you have connected to a network (remote) server, administrating that server 
with the LAN Manager screen is the same as administrating your local server. You 
can perform any of the administrative tasks on the server that you can on your local 
server. 

Example 

Mike Greenbaum wants to see a list of resources for the print! server. Mike has 
already started a network administrative session for print!. (He can confirm this by 
looking at the Administrating display field on his LAN Manager screen.) To list the 
resources currently shared by print! , Mike selects the View menu and chooses the 
This server menu item. Mike now sees the Resources This Server is Sharing With 
the Network dialog box. If he selects ADMIN$ from the list box and chooses the 
Zoom command button, he sees his own user name in the list box of the Shared 
Resource Information dialog box. This is because Mike is currently using 
ADMIN$ to remotely administrate the print! server. 



Using NET ADMIN to Run Commands on a Network Server 

You can run a LAN Manager command on a network server without actually 
starting a network administration session by using the NET ADMIN command with 
the following options: 

net admin Wcomputername \ [password] /command command 

\computernome specifies the network server. 

password is your password for the network server, if it is not the same as your 
logon password. If the network server is running with share-level security, this is 
the password for the server's ADMIN$ resource. 

/command tells LAN Manager that the following command is to be run on the 
network server. 

command is the command that you want to run at the network server. 
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When you use the NET ADMIN command with these options, your prompt does 
not change. You must use the NET ADMIN command again to run subsequent 
commands on the network server. 

Example 

Mary periodically checks the statistics of each server on the local area network. To 
check the server statistics for the admsvc server, Mary types: 

net admin \\admsvc /command net statistics server 

The following display appears on Mary's screen: 

Network Statistics for \\ADMSVC 



Statistics since Apr 28 


, 1988 


, 13:28:51 




Sessions accepted 


1 


Bytes received (bytes) 


36 


Sessions timed out 


0 


Bytes sent (bytes) 


3 


Sessions errored out 


0 


Average response time (msec) 


26 


Network errors 


17 


Network I/O's performed 


93 


System errors 


0 


Files accessed 


0 


Password violations 


0 


COMM devices accessed 


0 


Permissions violation 


0 


Print jobs spooled 


0 



The command completed successfully. 

This would be equivalent to typing the following command at the\Wwtsvc server: 
net statistics server 
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Ending a Session with a Network Server 

To resume administrating the local server after using the LAN Manager screen to 
administrate a network server, follow these steps: 

1 . Select the View menu and choose the Other server menu item 

The Connect to a Remote Server dialog box appears. 

2 . From the list box, select the computer name of the local server or type this 
computer name in the Servername text box. 

If you are not running the Server service on your local computer, do not select 
or type anything. 

3 . Choose the OK command button. 

The Administrating display field in your LAN Manager screen now shows the name 
of the local computer. 

Example 

When Mike Greenbaum has finished working with the print! server, he selects the 
View menu and chooses the Other server menu item. In the Connect to a Remote 
Server dialog box, Mike types the computer name of his local server, greenbaum, 
in the Servername text box and chooses the OK command button. Now the 
Administrating display field shows the computer name of his local server. 



Using EXIT to End a Session 

To end a network administration session, type the following command at the OS/2 
prompt: 

exit 

You can also press [Control]+[Z] to end the network session. 
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Chapter 12: Monitoring and 
Troubleshooting Server Operations 

As an administrator, you should keep track of what's happening on the local area 
network and be able to solve problems that come up. There are two kinds of 
problems that you might encounter: 

• Hardware problems-see the documentation that accompanies your local area 
network equipment. 

• Software problems-consult this chapter. 

When you can identify a problem, you're halfway to correcting it. LAN Manager 
keeps records of activities and errors; you can use these records to isolate problem 
areas and work out solutions. 
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In this chapter, you will learn how to: 



Set up automatic alerts. 



Look at a server's audit trail. 



Look at server statistics. 



Control user connections to the server. 



Look at a server's error log. 



Deal with access problems. 



What to Watch For 



You should watch for these problem areas: 

• Poor server performance. 

• Security and access problems. 

• User session problems. 

• Printer problems. 

Server performance problems can include sluggish response, lack of disk space, or 
other problems with the operation of the server itself. To correct performance 
problems of this nature, refer to the 3+ Open Network System Guide. To identify 
performance problems, you can review statistics of server activities and the error 
log, a record of errors that have occurred at the server. See the "Looking at 
Statistics" and "Looking at the Error Log" sections later in this chapter. 

Users need to be able to get to resources, and you need to be able to control their 
access. Chapters 8, 9, and 10 describe the security features of LAN Manager and 
how to set them up. The audit trail, a record of activities at each server, is your best 
tool for monitoring security and access problems. See the "Looking at the Audit 
Trail" section later in this chapter. Also, see the "Preventing Access Conflicts" 
section later in this chapter for information on how to keep local operations (things 
you do at the keyboard of the server) from interfering with local area network 
operations. 
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You may find it necessary to interfere with a user's connections to the server, either 
for security reasons or because the user is having trouble. You can close a user's 
session (set of connections to a single server) or close individual connections. See 
the "Looking at Sessions" section later in this chapter. 

Printer problems are a special class, due to the complexity of shared printer queues 
as compared to other shared resources. The Alerter service can inform you of many 
common printer problems. For more information on how to set up and maintain 
print queues, see Chapter 5: Managing Shared Printers. 



Setting Up Automatic Alerts 

LAN Manager sends automatic alert messages when certain problems occur. LAN 
Manager informs you under these conditions: 

• Disk drive is full. 

• Excessive errors have occurred. 

• Excessive bad password attempts have occurred. 

• Excessive bad access attempts have occurred. 

• The audit trail file is full. 

• The error log file is full. 

• A printer is out of paper. 

• A printer is malfunctioning. 

• A print request has been deleted. 

• A print request has completed. 
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In the first four cases, you can control the exact conditions under which LAN 
Manager sends an alert. See the 3+Open Network System Guide for information 
about setting these LANMAN.INI entries: 

• Diskalert= for "disk full" alerts. 

• Erroralert= for "error log full" alerts. 

• Netioalert= for "excessive I/O errors" alerts. 

• Logonalert= for password attempts. 

• Accessalert= for access attempts. 

• Alertsched= for how often LAN Manager sends alerts of any kind. 

A special LAN Manager service, the Alerter service, can forward alert messages to 
other users on the local area network. To make this work, you must do the 
following things: 

• Start the Alerter service (see Chapter 2: Starting and Using LAN Manager 
Services). 

• Set the alertnames= entry of the LANMAN.INI file (see the 3+Open Network 
System Guide). 
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Looking at Statistics 

LAN Manager maintains a record of statistics for server performance. To look at 
these statistics, follow these steps: 

1 . Select the Status menu and choose the Server statistics menu item. 

The Server Statistics Information dialog box appears. 

For a full description of each statistic in this dialog box, see the 3+ Open MS 
OS/2 LAN Manager Administrator Reference. 

2 . To clear the current statistics for this server and restart statistical tallies, select 
the Clear statistics command button. 



Looking at the Error Log 

The error log stores a record of the problems that have occurred during server 
operation. It is not unusual for some errors to occur — most are minor 
communication problems from which LAN Manager automatically recovers. 

If LAN Manager fails to recover from a problem, the error log can provide you with 
information about the problem. You can then evaluate the cause of the problem, 
using information in the 3+ Open Network System Guide. You may want to contact 
your software vendor or distributor for further assistance. While you may be able 
to fix many of the hardware problems listed in the error log, you probably need to 
contact your software vendors for errors related to application programs. 
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Displaying the Error Log 

To display the server's error log, follow these steps: 

1 . Select the Status menu and choose the Error log menu item. 

The Network Error Log dialog box appears. This dialog box contains a list 
box showing all entries in the error log. 

2 . Select the error log entry you are interested in. 

3 . Choose the Zoom command button. 

The Error Log Record dialog box appears. This dialog box shows: 

• Service which encountered the error. 

• Error identification number. 

• Date and time at which the error occurred. 

• Brief explanation of the error. 

• Hexadecimal code related to the error. 

If you are searching for the cause of a problem, and you cannot find any relevant 
errors in the error log, look at the audit trail as described in the next section. For 
example, a bad password attempt is recorded in the audit trail rather than the error 
log. 

Clearing the Error Log 

To clear the error log for this server, follow these steps: 

1 . Select the Status menu and choose the Error log menu item. 

2 . In the Network Error Log dialog box, choose the Clear command button. 
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Looking at the Audit Trail 



The audit trail keeps track of who has used server resources and for what purpose. 
You can turn the recording of audit information on and off, for all resources or for 
specific resources. 

When you start the server, auditing is turned on or off according to an entry in the 
LANMAN.INI file (or an option to the NET START SERVER command). See the 
3+Open Network System Guide for information on how to set the auditing= entry. 
If auditing is turned off when you start the server, you cannot record audit 
information. 

Under user-level security, you can turn auditing on or off for specific resources. 
See Chapter 8: Managing User-Level Security, for information. Under share-level 
security, you decide whether to audit a resource as you share it. See Chapter 9: 
Managing Share-Level Security, for information. 

The audit trail records only the opening of connections, not subsequent actions that 
involve the resource. For example, individual reads to a file are not recorded, only 
the initial open. 

Because LAN Manager records audit information on every opening of a file, some 
applications may generate a large number of audit entries during normal operation. 
If you find that an application is generating too much audit information, you can 
take either of two actions: 

• Turn off auditing for this resource. 

• Turn on auditing only for a specific file in the application directory, leaving 
auditing off for the other files. You may have to experiment to find out which 
file or combination of files will give you the amount of audit information that 
you want. 
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Displaying the Audit Trail 

To display the contents of the audit trail, follow these steps: 

1 . Select the Status menu and choose the Audit trail menu item 

The Network Audit Trail dialog box appears. This dialog box shows attempts 
(successful and unsuccessful) by users to access server resources. 
Specifically it shows: 

• User name of the person who requested access. 

• Type of access requested. There are several such types: 



Type of access 


Context 


Server 


For server actions 


Session 


For user sessions 


Share 


For starting or stopping sharing 


Access 


For access by users 


Access Denied 


For access violations 


Other 





The dialog box also displays a brief description of what operation was 
performed or attempted and the date and time of the operation. 
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Clearing and Saving the Audit Trail 

1 . To clear the audit trail for this server and restart audit recording, choose the 
Clear command button. 

2 . To save the contents of the audit trail in a file, choose the Save command 
button. 

If you chose the Save command button, LAN Manager asks you if you want 
to save the log to the AUDIT.S AV file. 

3 . Choose the OK command button. 



Looking at Sessions 

Each time a user communicates with a server, even if just to look at the list of 
available resources, the user establishes a session to the server. As an 
administrator, you can look at and control these sessions at each server. 

The list of user sessions can tell you: 

• Who is connected to the server. 

• How long each user has been connected to the server. 

• How long each connection has been idle. 

From this information, you can gauge the workload on the server. You can also 
determine if a user has forgotten to disconnect from server resources and is now 
tying them up. Under some circumstances, you may decide to force a session 
closed to free up a resource or to assist a user who is unable to close a session. 
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Displaying Session Information 

To display the session information for a server, follow these steps: 

1 . Select the Status menu and choose the Session status menu item. 

The Sessions to This Server dialog box appears. The text box in this dialog 
box lists all the current sessions to the server. 

2 . To see more specific information about a session, select a user name from the 
list box. 

3 . Choose the Zoom command button. 

The Session Information dialog box appears. The display fields in this dialog 
box list the user name, amount of time the session has been open, and amount 
of time the session has been idle. A list box shows information about each 
resource to which a user is connected. Specifically, it shows the following 
information for each connection: 

• Sharename of the resource. 

• Type of the resource. 

• Number of locks on the resource. 



Closing Sessions 

If you find that a user has been connected to a resource for a long time without 
actually using the resource, you can disconnect the user from the server using the 
Disconnect command button at the bottom of the Sessions to This Server dialog 
box. 

If this happens frequently, you might consider changing the amount of time that the 
server allows idle sessions to remain connected. See the 3+ Open Network System 
Guide for information on how to change the maximum amount of idle time. 
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Closing a user's session does not prevent the user from reconnecting. In fact, with 
LAN Manager's automatic reconnection feature, a user can reestablish a session and 
never even know that it was closed. If you want to close a session and ensure that 
the user cannot reconnect, you must change the permissions on the resource or 
pause the user's account. 



Forcing a Session Closed 

To force a session closed on the server, follow these steps: 

1 . Select the Status menu and choose the Session status menu item. 

2 . In the Sessions to This Server dialog box, select the user name belonging to 
the session you want to disconnect 

3 . Choose the Disconnect command button. 

4 . Choose the OK command button in the message box that appears. 

After disconnecting a user, you should send that user a message mentioning 
that his or her session to the server was disconnected, and that users ought to 
disconnect their own sessions if their sessions will be idle for an extended 
period of time. 



NOTE: A message is automatically sent if the Alerter service is running. 



Closing Files 

When a user uses a shared file, the file is said to be open. Sometimes a file will be 
left open — perhaps even with a lock on it — because of a program error or some 
other problem. Such files are said to be stuck open and are therefore temporarily 
unavailable to other users. Administrators, however, can close these files. 
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To close a file, follow these steps: 

1 . Select the Status menu and choose the Opened files menu item. 

The Opened Files on This Server dialog box displays a list of all the server 
files currently in use. 

2 . From the list box, select the name of the file you want to close. The number 
of locks on a file is listed in the # Locks column of the list box. 

3 . Choose the Close command button. 

4 . Choose the OK command button in the message box that appears. 



Preventing Access Conflicts 

When you share a resource with the local area network, LAN Manager has many 
ways of preventing conflicts between simultaneous access attempts. For example, 
spooled printer queues keep a list of requests and service them one at a time; disk 
resources can allow simultaneous reads while allowing only one write at a time. 

Since a server is also a computer running MS OS/2 and you can type MS OS/2 
commands at any time at the server's keyboard, you could conceivably cause 
trouble by doing something to a resource while it was being shared. Commands 
that you type at the keyboard are not necessarily subject to the cautious controls of 
LAN Manager. For example, if someone were editing a shared LAN Manager file, 
and you wrote to that file, you could destroy their work. Similarly, if you sent a 
file to one of the server's printers, bypassing the LAN Manager queue structure, 
you could wreak havoc with whatever is printing. 

The safest measure you can take to prevent these problems is to use your own 
server's resources as if they were on another server. Then everything that you do 
will be safeguarded by LAN Manager. You will also gain the advantage of 
convenient LAN Manager features such as printer queues and automatic alerts. 
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If you set up your server as described in this section, the extra safeguarding step 
will not noticeably affect your server's performance. You will set up a local 
loopback mechanism so that you can access your server's resources without 
actually tying up the local area network hardware in your computer. 



Preventing Access Conflicts 

To prevent access conflicts, run the NETSETUP program and install or modify 
your computer's LAN Manager configuration to use the LOOPBACK driver. The 
LOOPBACK driver is an option to select when Netsetup asks for "Network 
Protocol". 
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Appendix A: LAN Manager Utilities 

This appendix describes the utilities included with LAN Manager. These utilities 
help with local area network operation, administration, and performance. 

The 3+Open Installation and Setup program copies the following files as shown in 
Table A-1 to the Netprog subdirectory of the LAN Manager Lanman directory: 



Table A-1. LAN Manager Utility Files 



Program 


Purpose 


COMPACT.EXE 


Frees up space on a disk and speeds up disk 
access by reorganizing file storage. 


AT.EXE (servers only) 


Runs a command on a server at a specified 
time. 


MAKEACC.EXE (servers only) 


Creates an access control database for user- 
level-security servers; creates the file 
LANMAN\ACCOUNTS\NET.ACC. 


GROWACCEXE (servers only) 


Changes the size of the access control 
database for user-level- security servers; 
changes the size of the file 
LANMAN\ACCOUNTS\NET.ACC. 
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To run any of these utilities, type the name at the OS/2 prompt. 

COMPACT.EXE is for netstations and servers; the others are for servers only. If 
you have a netstation, you need only read about the COMPACT utility. 



COMPACT Utility 

The COMPACT utility reorganizes disks by joining all fragmented files and 
subdirectories and eliminating deleted entries from directories, improving overall 
server disk performance. 

For complete information on the COMPACT utility, refer to the 3+Open Network 
System Guide. The utility is also described in the 3+ Open MS OS/2 LAN Manager 
Administrator Reference. 



AT Utility 

The AT utility schedules a program or command to run at a later date and time on a 
server. It also displays the list of programs and commands scheduled to be run. 

For more information about the AT utility, see the 3+ Open MS OS/2 LAN Manager 
Administrator Reference. 



MAKEACC Utility 

The MAKEACC utility creates an access control database required by user-level- 
security servers. The access control database keeps track of user accounts and 
individual access permissions for resources on the server. Without the access 
control database, a server cannot run user-level security. The access control 
database is contained in the file LANMAN\ACCOUNTS\NET. ACC. 

When you install LAN Manager on a server, you can choose user-level, and 
3+Open Installation and Setup program runs MAKEACC for you. 
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You need to run MAKEACC yourself under the following circumstances: 

• The LAN Manager distribution disks are set for share-level security, and you 
want to install a user-level-security server. 

• You have installed a share-level-security server and want to change to user-level 
security. 

• The LANMAN\ACCOUNTS\NET. ACC file is missing or damaged. 
To run MAKEACC, follow these steps: 

1 . If the Server service is running, you must stop it before running MAKEACC. 
Type the NET STOP SERVER command at the OS/2 prompt. 

2 . Type MAKEACC at the OS/2 prompt with the following options: 

makeacc ^accounts directory 

^accounts is the number of accounts you want the access control database to 
be able to handle. The maximum is 1,048. You can change this limit later 
with the GROWACC utility. 

directory is the top directory of the LAN Manager software, usually 
C:\3open\Server\Lanman. 

The more accounts the database can handle, the larger the NET. ACC file is, 
so keep an eye on available disk space. 

MAKEACC asks you for passwords for the guest and admin accounts. 
Choose unique passwords for these accounts. The guest account allows 
access to this server for people without their own accounts, so a null (blank) 
password here allows anyone access to the server. The admin account is for 
administrators only; anyone with the password for this account can control the 
server. You can change these passwords later if you want. 
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GROWACC Utility 

The GROWACC utility changes the size of the access control database used by 
user-level-security servers. This does not affect any of the current entries in the 
database. 

When you install LAN Manager on a server running user-level security, or when 
you run the MAKE ACC utility yourself, you specify a limit on the number of 
accounts that the access control database can hold. The GROWACC utility lets you 
change that limit. 

You should run GROWACC under the following circumstances: 

• The access control database is full of accounts, and you want to add more 
accounts. 

• The LANMAN\ACCOUNTS\NET. ACC file is bigger than you need it to be; 
you want to reduce the access control database to make the file smaller. 

To run GROWACC, follow these steps: 

1 . If the Server service is running, you must stop it before running GROWACC. 
Type the NET STOP SERVER command at the OS/2 prompt. 

2 . Type GROWACC at the OS/2 prompt with the following options: 
growacc ^accounts 

^accounts is the number of accounts you want the access control database to 
be able to handle. The maximum is 1,048. 

The more accounts the database can handle, the larger the NET. ACC file is, 
so keep an eye on available disk space. 
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Appendix B: LAN Manager Screen 
Console Version 

The console version of the LAN Manager screen is a special feature of 3+Open 
LAN Manager that lets administrators set up special, unattended servers in printer 
rooms and other areas. 

The idea behind the console version is to allow users to perform certain specific and 
relevant tasks on the unattended server, such as checking on the status of queues or 
sending messages, without giving them full administrative privilege or 
compromising the security of the local area network. 

This appendix is divided into two parts: 

• An introduction for administrators, which explains how to set up an unattended 
server. 

• A manual for users, which explains how to use an unattended server. 



NOTE: The appendix is designed so that the second part — the manual for users — 
can be separated and placed near an unattended server, where users can refer to it as 
needed. 
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Introduction for the Administrator 

As a local area network administrator, one of your chief concerns is security. 
You carefully plan your local area network so that each individual can access the 
appropriate resources. You also plan where servers should be located and what 
resources they should share. Often, it makes sense to locate a server in a printer 
room or some other place where the server must be left unattended. 

To provide ample security for unattended servers, LAN Manager provides a 
special, limited version of the LAN Manager screen. The console version of the 
LAN Manager screen lets you start LAN Manager services and a version of the 
LAN Manager screen that gives users limited access to dialog boxes that control 
queues and related local devices. 

In this appendix, you will learn how to: 

• Ensure proper security on an unattended server. 

• Set up an unattended server for access by users. 

• Log on to and off from the local area network from an unattended server. 



NOTE: The 3+Open LAN Manager Netsetup service performs all of these steps if 
you select "dedicated" when prompted for the type of server. 



Setting up an Unattended Server 

To set up an unattended server on the local area network, you must do the 
following: 

1 . Modify the server's CONFIG.S YS file to ensure proper security on the 
unattended server. 

2 . Start the appropriate LAN Manager services. 
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3 . Share the appropriate resources from the unattended server for access by 
users on the local area network. 

4 . Log on to the local area network and start the console version of the LAN 
Manager screen. 

The following sections describe each of these steps in more detail. 



Ensuring Proper Security 

You need to make sure that users cannot modify an unattended server by accessing 
OS/2 or LAN Manager commands. There are two things you need to do: 

1 . Include the following line in your CONFIG.SYS file to prevent users from 
starting a DOS session: 

protect on ly=yes 

2 . Make sure that the PROTSHELL command line in your CONFTG.SYS file 
specifies the filename of the security-check program, ADMINCMD.EXE, for 
example, 

protshell=c : \ shell . exe c:\admincmd.exe /k 
c:\os2init. cmd 

The ADMINCMD program allows users to start new OS/2 sessions only if they can 
supply the administrative password for the unattended server. 



NOTE: The ADMINCMD .EXE file must be in the same directory as the 
CMD.EXE file. 



BLAN Manager 
Screen Console 
Version 



B-4 



Starting LAN Manager Services 

You must start the Workstation and Server services on an unattended server just as 
you would on any other server: 

net start workstation 
net start server 

You may also want to start other LAN Manager services. Table B-l, When to Start 
LAN Manager Services, describes when you would want to start them on an 
unattended server: 



Table B-1 . When to Start LAN Manager Services 



Service 


When you should use it 


Workstation 


You must start this service. 


Server 


You must start this service. 


Messenger 


Start this service if you want users to be able to send messages 
to or from the unattended server. 


Alerter 


Start this service to enable LAN Manager to send alert messages 
from the unattended server to you and/or other recipients on fie 
local area network. 


Netpopup 


This service is not recommended for unattended servers. Start 
this service only if you want broadcast messages (that is, 
messages that are sent to all computers on the local area 
network) or other messages sent to this computer to appear on 
the screen as they are received. 


Spooler 


Start this service if you are sharing printer queues from the 
unattended server. 


Netrun 


Start this service to allow users to run programs on the 
unattended server from other computers, using the unattended 
server's memory. 


Netlogon 


Start this service if the unattended server is a logon server. 
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NOTE: To start services automatically when you start MS OS/2 on the unattended 
server, include the appropriate NET START commands in the server's 
STARTUP.CMD file or modify the srvservices= and wrkservices= entries in the 
LANMAN.INI file. For more information about the STARTUP.CMD file, see the 
3+ Open MS OS/2 Setup Guide For more information about modifying the 
LANMAN.INI file, see the 3+Open Network System Guide. 



Sharing Resources 

Before you start the console version of the LAN Manager screen, you should share 
the resources you want to make available from the unattended server. 

The first time you start the unattended server, you must share resources the same 
way you would for any other server on the local area network. 

Once you have defined a set of shared resources for the server, you can create a 
profile file of those shared resources. The next time you start the server, you need 
only type the following to share the same set of resources. 

net load filename 

filename is the name of the profile file. 

For more information about creating profiles, see the 3+Open MS OS/2 LAN 
Manager User Guide. 
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Logging On and Starting the LAN Manager Screen 

When you have started the Workstation and Server services, and have shared the 
server's resources, you are ready to start the console version of the LAN Manager 
screen. To do so, follow these steps: 

1 . Type the following at the OS/2 prompt: 

net console 

The console version of the LAN Manager screen appears. The Set Exit 
Password dialog box also appears. 

2 . Type in a password for this NET CONSOLE session. 

This assures that the server console will remain connected until you or 
someone else types the exit password. 



Logging Off from a Server Console 

To end a NET CONSOLE session, follow these steps: 

1 . Select the view menu and choose the Exit menu item. 
The Enter Password dialog box appears. 

2 . Type the password you used when you started the NET CONSOLE session. 

3 . Choose the OK command button to exit the server console version of the 
LAN Manager screen. 

For more information about specific LAN Manager commands or dialog boxes, see 
the 3+Open MS OS/2 User Reference and the 3+Open MS OS/2 LAN Manager 
Administrator Reference. 
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Introduction for the User 



NOTE: Keep these instructions near the unattended server as a manual for users. 

These pages are intended as a kind of User's guide for the console version of the 
LAN Manager screen. The console version of the LAN Manager server is designed 
especially to run on unattended servers. Your local area network administrator has 
set up this unattended server to control one or more printers or communication 
devices that are shared with users of the local area network. 

The console version of the LAN Manager screen looks essentially like the 
Workstation version that you see on your regular computer. There are differences, 
however, that will be covered in the following pages. 

The console version of the LAN Manager screen lets you check on the status of: 

• Printer and communication device queues. 

• Individual print requests held in a queue. 

• Queues directed to a specific local device. 
In this document you will learn how to: 

• View a list of shared local area network resources. 

• Send network messages. 

• List or change the status of a printer queue's contents. 

• List the contents of a communication device queue. 

• Check the status of a local device. 
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NOTE: If the console version of the LAN Manager screen is not started on the 
unattended server, contact your local area network administrator. 



Using an Unattended Server 

The console version of the LAN Manager screen includes four menus: View, 
Message, Config, and Status. The screen may look like the LAN Manager screen 
on your netstation, but the menu items for this version are different from those on 
your netstation. 

When you hold down the [Alt] key and press the first letter of one of these menu 
names, a menu listing one or more menu items appears. Table B-2 lists the menu 
items associated with each menu name. 



Table B-2. LAN Manager Screen Main Menu Items 



Menu 


Menu Item 


View 


Print queues Comm queues Exit 


Message 


Send 


Config 


Change password 


Status 


Device status 



The following sections explain how to use these menu items to perform tasks on the 
unattended server. 
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Working with Spooled Printer Queues 

The console version or the LAN Manager screen displays the status of each spooled 
printer queue shared by the unattended server. 

You can use the view menu to look at the contents, status, and configuration of 
spooled printer queues at an unattended server. With the appropriate password, 
you can also change the status of a request in a spooled printer queue or the status 
of a queue. 



Viewing Printer Queue Options 

To see the options for a printer queue shared by this server, follow these steps: 

1 . Select the view menu and choose the Print queues menu item. 

The Print Queues for (server) dialog box appears. This dialog box shows the 
name and status of each printer queue for that server. The identification 
number and size of each request in each queue are listed also. 
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2 . Select the name of the printer queue you are interested in and choose the 
Zoom command button. 

The Printing Options for Queue dialog box appears. The text boxes in this 
dialog box show the current options for this printer queue as shown in Table 
B-3. 



Table B-3. Printer Options for Queue Text Boxes 



Text box 


Shows this information 


Priority 


The priority level, from 1 to 9 (1 is highest), for 
requests in this queue. 


Printer device(s) 


The device name(s) to which this queue directs print 
requests 


Separator file 


The filename of the separator file that prints between 
requests in this printer queue, if any. 


Print after 


The time at which the queue can start sending requests 
to the printer(s). 


Print until 


The time after which the queue can no longer send 
requests to the printer(s). 


Print processor 


The filename of the print processor used for requests in 
this queue, if any. 


Parameters 


Parameters for the print processor program. 


Comment 


A descriptive comment about the queue. 
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Changing the Status of a Printer Queue 

To change the status of a spooled printer queue, you must know the administrative 
password for the unattended server. With this password you can hold, release, 
purge, or delete a printer queue. 

To change the status of a printer queue, follow these steps: 

1 . Select the view menu and choose the Print queues menu item. 
The Print Queues for (server) dialog box appears. 

2 . Select the name of the printer queue you are interested in and choose one of 
the following command buttons shown in Table B-4. 



Table B-4. Printer Queue Command Buttons 



Command button 


Function 


Hold 


Suspends all requests in the printer queue except for 
the document that is currently printing. 


Release 


Reactivates a held queue. 


Delete 


Deletes the printer queue itself. 


Purge 


Removes all requests from the printer queue. 



Changing the Status of a Print Request 

You can use the LAN Manager screen to hold, release, restart, or delete a print 
request in a spooled printer queue shared by the unattended server. 

To change the status of a print request, follow these steps: 

1 . Select the view menu and choose the Print queues menu item. 

The Print queues for (server) dialog box appears. 
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2 . Select a print request from the list box and choose one of the following 
command buttons from Table B-5. 



Table B-5. Print Request Command Buttons 



Command button 


Function 


Hold 


Keeps the selected print request in the queue. 


Release 


Allows the selected request to be sent to the printer 
after it has been held. 


Restart 


Reprints an interrupted document from the beginning. 


Delete 


Removes the selected print request from the printer 
queue. 



Getting More Information About a Print Request 

The console version of the LAN Manager screen also lets you examine an 
individual print request, and to move it to either the beginning or the end of the 
queue. To view the print options for a print request, follow these steps: 

1 . Select the view menu and choose the Print queues menu item. 

The Print queues for (server) dialog box appears. 
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2 . Select a print request from the list box and choose the Zoom command button. 

The Printing Options for Job dialog box appears. This dialog box contains 
several display fields that show information about the selected print request 
listed in Table B-6. 



Table B-6. Print Request Display Fields 



Display field 


Shows this information 


Job# 


The job number for this request. 


User name 


The owner of this request. 


Sharename 


The sharename of the printer queue. 


Size 


The size in bytes of the document to be printed. 


Time queued 


The length of time in the queue. 


Time printing 


The length of time at the printer. 


Printing on 


The device name of for the printer to which the request is 
routed. 


Status 


Whether the job is Spooled, Held, Printing on (device), 
Held on (device), Out of paper on (device), Error on 
(device), Offline on (device), or Waiting. 



The Printing Options for Job dialog box also contains a text box that lets you 
supply a comment for the request, and a set of option buttons that let you 
move the request to the top or the bottom of the queue. See the next section 
for information on how to use these option buttons. 
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Changing the Position of a Print Request 

From the Printing Options for Job dialog box, you can change the position of a 
request in a printer queue by following these steps: 

1 . Select one of the following option buttons: 

• Unchanged. 

• First in queue. 

• Last in queue. 



NOTE: You must know the administrative password to move a request to the 
beginning of the queue. You must know your own user account password to move 
a request to the end of the queue. 



2 . Choose the OK command button. 



Working with CommDevice Queues 

You can use the console version of the LAN Manager screen to check the 
availability of communication device queues at an unattended server. 

• Select the view menu and choose the Comm queues menu item. 

The Comm Queues for (server) dialog box appears. This dialog box lists all 
communication device queues shared by this server. It also shows the number 
of requests ahead of each request, and the number of total request that are 
waiting for a device. 



LAN Manager 
Screen Console 
Version 




B-15 



Sending Messages 



You can use the Message menu from the console version of the LAN Manager 
screen to send a message to one or more people on the local area network. You can 
type a message of up to 512 characters if you are sending a message to an 
individual user, or to all users on this server. If you are sending a broadcast 
message to all local area network users, your message cannot be longer than 128 
characters. 

1 . Select the Message menu and choose the Send menu item. 

The Send a Message dialog box appears. 

2 . Identify the recipient in one of three ways: 

• By typing the message alias of the person to whom you are sending the 
message. If you are sending the message to more than one person, 
separate the aliases by semicolons, commas, or spaces, as in the 
following example: 

marys ; johnoc 

• By selecting the All users of this Server option button to send the message 
to all users who are currently connected to this server. 

• By selecting the All LAN users option button to send the message to all 
users on the local area network. 

3 . Type the text of the message in the Message text text box. 



4. 



Choose the OK command button to send the message. 
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Changing Your Logon Password 

You can use the Config menu from the console version of the LAN Manager screen 
to change your logon password for this server or for another server. 

1 . Select the Config menu and choose the Change password menu item. 

The Change Logon Password at a Server dialog box appears. There are four 
text boxes in this dialog box. Complete these text boxes according to the 
instructions in Table B-7. 



Table B-7. Change Server Logon Password Text Boxes 



Text box 


What to do 


Servername 


Specify the computer name of the server for which you 
want to change your password. 


User name 


Type in your user name. 


Old password 


Type in your old logon password. What you type will 
not appear on the screen. 


New password 


Type in your new logon password. What you type will 
not appear on the screen. Your new password must 
differ from your old password, and can be up to 14 
characters long. 



2. 



Choose the OK command button. 
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Working with Shared Device Status 

You can use the Status menu from the console version of the LAN Manager screen 
to check the status of specific devices shared from the server. With the appropriate 
password, you can also change the status of a device, or of the requests directed to 
that device. 

• Select the Status menu and choose the Device status menu item. 

The Shared Device Status dialog box appears. This dialog box lists the device 
name of each device shared from this server. This list also shows the status, 
connection time, and the users who are currently using each device. 



Changing the Status of a Device 

To change the status of a specific printer or communication device, you must know 
the administrative password for the unattended server. With this password, you 
can pause or continue a printer, restart a print job, or make a communication device 
or printer unavailable on the local area network. 

1 . Select the Status menu and choose the Device status menu item. 

The Shared Device Status dialog box appears. 



BLAN Manager 
Screen Console 
Version 
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2 . Select the device you are interested in and choose one of the command buttons 
shown in Table B-8. 



Table B-8. Shared Device Status Command Buttons 



Command button 


Function 


Pause 


Pauses a printer. (Communication devices cannot be 
paused.) Pausing a printer also pauses the document 
that is currently printing. 


Continue 


Restarts a paused printer. 


Restart 


Reprints an interrupted document from the 
beginning. (This applies to printers only.) 


Kill 


Interrupts and removes the current request in a 
printer or communication device queue. 
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Appendix C: Bubble Diagrams 

Bubble diagrams illustrate some commands in this manual. 

(net use ^ ^ roun ded-corner rectangle surrounds the 

/ command name. The command name is in all capital 

letters and bold type. 



A rectangle surrounds variables. The variable is in 
lowercase italics. This shape says "substitute something 
here." 



/ delete 



An oval surrounds arguments that you type as is. 



/ chart ime : time 



o 



Sometimes an oval surrounds an argument that has a 
variable portion. You replace the italicized text with an 
appropriate value. 

A circle surrounds punctuation. 



2 " 
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Arrows indicate direction. 



A vertical line indicates a return. 

Each element must be separated by a space. 



To read a bubble diagram, start at the command name, in the bold, rounded-corner 
rectangle. You may follow any line through the command, as long as you follow the 
direction of the arrows. For example, when you come to the first decision point in the 
NET USE diagram shown below, you could enter either a drive or a printer name, which 
must then be followed by a path. After the path, you have the choice of entering a 
password (which is not required by the command, although it might be required by the 
shared resource). Then you must type a return. 



( NET USEl} 



^ | path 



rv 



devicename 



path 



password 



U" 



^ ] path 




/delete 



V devicename 




The record of a user on a server. To use the shared 
resources of a server, a user must first have an account 
on a server. Administrators create accounts on servers. 
Accounts are assigned user names and passwords. See 
Administrator, Password, and User name. 

The individual ultimately responsible for the local area 
network. This person typically sets up the network, 
assigns passwords and privileges, and helps users with 
problems they may have while using the local area 
network. 

A name used to receive messages. This is not the same 
as a user name. See Username. 

A program used for a particular kind of work, such as 
word processing or database management. 
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An executable file which contains a group of commands 
that are performed whenever the batch file is run. MS 
OS/2 batch files always have the filename extension 
.CMD. A batch file called STARTUP.CMD runs 
whenever you start MS OS/2. 

Messages sent to all users on the local area network. 

A small, square box that appears in a dialog box. Check 
boxes are generally associated with multiple options that 
you can set. To set a check box option, move to it and 
press the [Space bar] or click the left mouse button. 

To specify a menu item or command button. You 
choose commands or actions. See Select. 

To press and release a mouse button quickly. When you 
click a mouse button, you should hear and feel a faint 
click. 

A word or phrase that you type at the OS/2 prompt to 
carry out an action when you press the [Enter] key. 

An option enclosed in angle brackets at the bottom of a 
dialog box (for example, Zoom). The most common 
command buttons for MS OS/2 LAN Manager are OK, 
Cancel, Zoom, Add, Done, and Delete. Selecting a 
Zoom command button always leads to another dialog 
box. 

A server or a netstation. A computer is known to LAN 
Manager by its computer name and can have only one 
computer name. Only one user name at a time may be 
associated with a given computer name. A computer can 
have multiple aliases associated with it. See Alias, 
Computername, and Username. 
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The name of a server or a netstation on a local area 
network. In a network path, the computer name is 
preceded by two backslashes (for example, 
\\printl\lanman). Computer names cannot be duplicated 
on the local area network. 

A LAN Manager resource that routes user requests to 
nonspooled devices such as modems or printers 
connected to a server's serial or parallel ports. 

The way your netstation, server, or local area network is 
set up. This includes both hardware and software. 

The act of associating a name of a local device with a 
shared resource. See Devicename and Resource. 

The software link between a netstation and a shared 
resource. See Session. 

To restart a LAN Manager service or function that was 
paused. See Pause. 

Used in combination with other keys to produce control 
characters that affect a command LAN Manager or MS 
OS/2 is executing. For example, [Control] +[C] tells MS 
OS/2 to stop the current command. 

Usually a blinking line or small box on the computer 
screen that shows where the next character you type will 
appear. In the LAN Manager screen, you move the 
cursor to various areas to enter information or make 
selections. 

There are four arrow keys — Up, Down, Right and Left. 
These keys, marked with arrows, are located on the 
keyboard to the right of the alphabetic keys. 
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Device A piece of hardware that is connected to a computer and 

performs a specific function. There are three types of 
devices — disks, spooled printers, and nonspooled 
communication devices. See Device driver. 



Device driver 



Devicename 



Dialog box 



Directory 



A file that lets your netstation recognize and use a device. 
LAN Manager provides these installable device drivers: 
ub8drv.sys, netwksta.sys, and fastopen.sys. 

The name given to LAN Manager to identify a specific 
printer, disk, or other device. A disk device is named by 
the letter of its drive (for example, A: or Z:). A spooled 
printer or nonspooled communication device connected 
to a parallel port is named by the parallel port name (for 
example, LPT1: or LPT2:). A device connected to a 
serial port is identified by the name of the port to which it 
is connected (for example, COM1: or COM2:). 

A box that appears when a menu item is selected. Dialog 
boxes typically present you with a number of options 
from which to choose. Sometimes choosing an option 
from one dialog box causes another dialog box to 
appear. 

A structure for organizing your files into convenient 
groups. A directory can contain files and subdirectories 
of files. 



Disk device 



A device that stores information. Disk devices are 
known to LAN Manager by their device names. See 
Devicename. 



DOS 



An acronym meaning Disk Operating System which 
refers to either MS-DOS or PC-DOS. 
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To hold the mouse button down while moving the 
mouse. For example, you drag a scroll box to see 
additional items in a list box. 

The key you usually press after typing data or text to 
move to a new line, or after you type an MS OS/2 
command to tell MS OS/2 to execute the command. 

Messages that appear on the screen if LAN Manager 
detects a problem while processing a command. 

A collection of related information. A file on a disk can 
be compared to a file folder in a file cabinet. For 
example, a file folder named FRIENDS might contain 
the names and addresses of your friends. A file on a 
disk could contain the same information, and could also 
be named FRIENDS. Programs are also stored in files. 

A unique name for a file that can be from one to eight 
characters in length and may be followed by a filename 
extension consisting of a period (.) and one to three 
characters. See Filename extension. 

The period (.) and one to three characters that may be 
appended to a filename. For example, MS OS/2 batch 
files always have the filename extension .CMD. See 
Filename. 

A way of preparing a disk so that it can hold 
information. Formatting a disk erases whatever 
information was previously on it. You can use the MS 
OS/2 FORMAT command to prepare disks for use by 
MS OS/2 and LAN Manager. 

Refers to a group of users. See Groupname. 
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Groupname 

Hardware 
Highlight 
Home directory 
LAN 

LAN group 

LAN Manager screen 

List box 

Local 

Local area network 
Log 



The name assigned by an administrator to a group of 
users. These groups of users usually have something in 
common, such as work assignments or positions in fie 
company. 

The equipment that makes up a computer system, not to 
be confused with the programs, or software. 

Highlighting indicates that the object is selected and will 
be affected by your next action. 

The location of a user's primary account on a server that 
is working in user-level security. 

See Local area network. 

The set of computers to which a given computer belongs; 
a netstation may belong to only one LAN group. 

The menu-oriented interface for LAN Manager. This 
term also refers to the primary screen of this interface. 

An area within a dialog box containing a list of items 
from which a user can select. See Scroll, Scroll bar, and 
Scroll box. 

Refers to the netstation at which a user is working. See 
Network. 

The grouping of all computers and other hardware 
physically attached to each other by cable. 

A file containing an historical list of information. With 
LAN Manager, the administrator can set up an error log, 
statistical log, message log, and audit trail. 
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To remove your user name and password from a 
netstation. 

To set your user name and password at a netstation. 

The active part of computer storage that is used when the 
computer runs a program or command. 

A small box that appears when you select its name from 
the menu bar on the LAN Manager screen. A menu lists 
several items that you may choose from. Except for 
Exit, each menu item leads to a dialog box. 

On the LAN Manager screen, the horizontal bar at the top 
of the screen that lists the names of available menus. 

One of the items listed on a menu in the LAN Manager 
screen. Users select menu items to indicate the type of 
task they want to perform and to reach dialog boxes. 
See Dialog box and Menu. 

A box that displays messages received at your netstation. 

The ability to reroute messages that would be received by 
a user at one computer to another computer. 

Saving all messages received. When saved, messages 
can be stored in a file or sent to a printer. 

A pointing device that you move across a flat surface to 
move the pointer on your screen. A mouse has one or 
more buttons that you press to carry out various actions. 

Microsoft Operating System/2. This is the operating 
system on which LAN Manager runs. See Operating 
system. 
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The label by which LAN Manager knows a user, a 
computer, etc., for a given purpose. For example, a 
computer (netstation or server) is known by its 
computemame. See Alias, Computername, Filename, 
and Username. 

A computer used by a user to work with LAN Manager. 
See Workstation. 

Describes any server, netstation, or resource that is not 
located where the user is currently working. See Local. 

A computer name of a server followed by the sharename 
of a shared resource (for example, printlXstyle). 

For example, [C:\]. See Prompt. 

A group of programs that translates your commands to 
the computer, helping you perform such tasks as creating 
files, running programs, and printing documents. LAN 
Manager runs on the Microsoft Operating System/2 (MS 
OS/2). 

Part of a command whose use is not required. In 
syntax, options are shown in brackets. 

A button that lets you select among a group of options. 
Within a group of related option buttons, you can select 
only one option. To select an option button, use the 
arrow keys or click the option button with the mouse. 
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With user-level security, a word owned by the user that 
is typed when the user logs on at a netstation. 
Administrators can change these passwords but not read 
them. With share-level security, a password is 
associated with a resource. The person who shared the 
resource can change its password. See Share-level 
security and User-level security. 

Includes the name of one or more directories, where each 
directory name is preceded by a backslash (\). For 
example, Vustsvr^orpNacct is a path. See Network path 
and Pathname. 

Includes the name of one or more directories followed by 
a filename. Each directory name and filename within the 
pathname is preceded by a backslash (\). For example, 
the pathname WOJECINMONTHLY.rpr points to a file 
named MONTHLY.RPT in the project directory. 

To suspend a LAN Manager service or function. The 
opposite of pause is continue. See Continue. 

A setting on a shared resource that determines which 
users can use the resource and how. Permissions are 
controlled by administrators. 

To move the pointer on the screen until it rests on the 
object you want. See Pointer. 

A small graphic symbol that shows mouse users their 
location on the screen. The mouse pointer is usually 
shaped like an arrow but changes shape during certain 
tasks. 

A group of similar devices to which a queue is directed. 
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Printer queue 



See Spooled printer queue. 



Privilege 



Prompt 



Resource 

Root directory 

Run 
Scroll 

Scroll bar 



A setting assigned by the administrator to a user or group 
account on a server that determines what type of access 
that account has to shared resources on that server. See 
Group and User. 

The symbol that tells you an operating system or 
program is ready to receive a command. You type 
commands at the prompt. The OS/2 prompt shows the 
current drive and directory enclosed in brackets (for 
example, [C:\LANMAN]). 

Something that can be shared over a local area network. 
This includes, but is not limited to, printers, modems, 
image scanners, disk drives, and directories. 

On a computer, this is the top-level directory which is a 
subdirectory of no other directories. This is not the same 
as home directory. See Home directory. 

To start a program or command. 

To move data or text up and down, or left and right, to 
see parts of the file that cannot fit on the screen. 

The shaded bars that appear at the right side or bottom of 
some list boxes. You use scroll bars to move through a 
list box that contains more information than can be 
shown in one screen. The scroll bar at the right side of a 
list box scrolls vertically. 
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The small white box in the scroll bar. The scroll box 
reflects the position of the information within the 
window in relation to the total contents of the file. For 
example, if the scroll box is in the middle of the scroll 
bar, then the text or data in the window is in the middle 
of the file. If you have a mouse, you can scroll by 
dragging the scroll box in the scroll bar. 

To indicate the object that the next command or option 
you choose will affect. See Highlight 

A sheet of paper which is automatically placed between 
documents printed via a spooled printer queue. 

A computer on a local area network that controls access 
to resources such as files, printers, and modems. 
Servers are run by administrators. 

Programs that represent the main functions of LAN 
Manager. The LAN Manager services include 
Workstation, Server, Messenger, Netpopup, Alerter, 
Netlogon, Netrun, and Spooler. 

A link between a netstation and a server. A session 
consists of one or more connections to shared resources. 
See Connection. 

A program included with LAN Manager that installs 
LAN Manager software on a netstation or server. 

The act of making a resource available for users to use. 
Only resources attached to a server can be shared. 
Administrators share resources. 

A resource available to a user via the local area network. 
See Resource. 
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Share-level security 



Software 



Spooled printer queue 



Text box 



Title bar 
User 

User-level security 



One of two security modes allowed by LAN Manager. 
With share- level security, the administrator can assign 
passwords and permissions to resources. See 
Password, Permission and User-level security. 

The programs, routines, or instructions written in a 
computer language that instruct the computer to perform 
one or more tasks. Some examples of software include 
operating systems, word-processing programs, and 
spreadsheet programs. 

A LAN Manager resource that routes requests to one or 
more spooled printers connected to a server's serial or 
parallel ports. 

A box where you type information. A text box appears 
within a dialog box. What you type appears to the left of 
the prompt. The text box may be blank when the dialog 
box appears, or the text box may contain text if there is a 
default option. (Default options are options that LAN 
Manager automatically suggests.) 

The place at the top of the LAN Manager screen or a 
dialog box where titles appear. 

Someone who uses the local area network. 

One of two types of security modes allowed by LAN 
Manager. With user-level security, the administrator can 
assign passwords to users and multiple permission 
settings to a shared resource. See Password and Share- 
level security. 



Username 



The name a user types when they log on to a netstation. 
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Wild-card character A character that can be included in a filename in a 

command line to indicate any character or group of 
characters that might match that position in other 
filenames. With LAN Manager and MS OS/2, you can 
use an asterisk (*) or a question mark (?) as wild cards. 
The asterisk denotes all characters and the question mark 
denotes any character. For example, the filename 
MARKET.* refers to all files named MARKET with any 
filename extension. The filename ANNEX? .LST would 
be equated with filenames like ANNEX 1. LST and 
ANNEX2.LST. 

Workstation A computer used by a user to work with LAN Manager. 

See Netstation. 

Zoom To access a dialog box that provides more detail about a 

Zoom field which is highlighted. To zoom an item, 
select the command button at the bottom of the dialog 
box. 
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Index 



accessalert=, 12-4 
Account 

add group, 8-32 

add space for user account, 8-21 

add user, 8-17 

defined, 1-9, 8-4 

disable user, 8-26 

generic, 8-5 

group, 8-5 

group name, 8-5 

password, 8-4 

user account, add, 8-17 

user-level security, 8-17 

username, 8-4 
Accounts menu 

add user account, 8-17 

change password, 8-27 

enable logon validation for account, 10-15 

examine permission, 8-39 

function, 1-21 
Add Permissions dialog box 

create printer queue, 5-13 

share communication device queue, 6-4 

share printer queue, 5-13 
Add Share command button 

create communication device queue, 6-3 

create printer queue, 5-11 

share communication device queue, 6-3 

share directory, 4-5 

share printer queue, 5-11 

share resource, 3-9 
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Add User Account dialog box 

add space for user accounts, 8-19, 8-20 
add user account, 8-18 

ADMINS resource 
defined, 3-7 

necessary to administer network server, 11-2 

share, 3-10, 9-7 
Administrator 

different under user-level and share-level security, 9-4 
Alerter service, 12-4 

set up, 12-4 
Alerts, 12-3 

description, 12-3 
alertsched=, 12-4 
Alias 

defined, 1-8 
AT utility, A-2 
Audit trail 

identities security and access problems, 12-2 
Auditing 

preventing too many entries, 12-7 



c 

Centralized logon security 

advantages, 10-2 

defined, 10-2 

disadvantages, 10-3 

Netstation, set up, 10-12 

other servers, set up, 10-1 1 

set up central server, 10-8 
Change Group Account dialog box 

remove group member, 8-36 
Change Password menu item 

change password, 2-9 
Change Permission dialog box 

share communication device queue, 6-4 
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Comm Queues for (Server) dialog box 

check communication device queue status, 6-7 

remove requests from communication device queue, 6-10 
Comm queues menu item 

check communication device queue status, 6-7 
Command 

HELPMSG, 1-23 

NET, 1-19 

NET ACCESS, 8-46 

NET ADMIN, 1-19 

NET COMM, 6-8, 6-11, 6-13 

NET CONSOLE, 1-20 

NET CONTINUE, 2-11, 3-15 

NET COPY, 7-2 

NET DEVICE, 5-18, 5-19, 6-8 

NET GROUP, 8-34, 8-36, 8-37, 8-38 

NET HELP, 1-22 

NET LOGOFF, 10-21 

NET LOGON, 2-5 

NET PASSWORD, 2-10, 8-28 

NET PAUSE, 2-11,3-15 

NET PRINT, 5-8, 5-9, 5-18, 5-21, 5-25 

NET RUN, 7-3, 7-4 

NET SHARE, 3-17, 4-8, 4-10, 5-5, 5-6, 5-14, 5-28, 6-13, 6-15, 9-10, 9-13 
NET START, 2-2 
NET START SERVER, 12-7 
NET STOP, 2-13 
NET USER, 8-24, 8-26, 8-31 
Communication device pool 
defined, 6-2 
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Communication device queue 

change devicename, 6-7 

change option, 6-11 

change priority, 6-7 

check status, 6-6 

create, 6-3 

defined, 6-2 

list from console, B-14 

permission, 8-11 

remove requests, 6-10 

share, 6-3 

stop sharing, 6-14 
Communication device 

decide on devices to share, 6-3 

defined, 6-1 

estimate demand for, 1-12 

maintain, 1-13 

types, 6-3 
COMPACT utility, A-2 
Computername 

defined, 1-8 
Config menu 

change password, 2-9 

function, 1-21 

log off, 2-8 

stop a service, 2-13 
CONFIG.SYS file 

modify for security, B-3 
Connect to a Remote Server dialog box 

end network administration session, 11-10 

monitor more than one server, 11-5 

start network administration session, 11-2 



lndex-4 



Console version 

administrator information, B-2 
change device status, B-17 
change position of print request, B-14 
change printer queue status, B-l 1 
change status of print request, B-l 1 
change your logon password, B-l 6 
check device status, B-17 
defined, B-l 

different from Workstation version, B-7 

get more information about print request, B-12 

fist communication device queue, B-14 

menu, B-8 

send message, B-l 5 

start, B-6 

user information, B-7 
view printer queue options, B-9 
Continue 

defined, 2-10 

NET CONTINUE command, 2-11 
printer queue, 3-14 
service, 2-10 



Delete command button 

remove requests from communication device queue, 6- 

stop sharing directory, 4-9 

stop sharing printer queue, 5-27 

stop sharing resource, 3-16 
Device pooling 

defined, 3-6 
Device Status menu item 

pause specific printer, 3-14 
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Devicename 

change, 6-7 

defined, 3-2 

restrictions, 3-3 
Directory 

share, 4-5 

stop sharing, 4-9 
Disk 

maintain, 1-13 
Disk resource permission 

combinations on LAN Manager screen, 8-10 

No permission, don't assign to groups, 8-10 

types, 8-9 
diskalert=, 12-4 

Distributed logon security, 10-14 

advantages, 10-4 

defined, 10-3 

disadvantages, 10-4 

set up servers, 10-14 
DOS LAN Manager 

user name, 8-4 



E 

Edit File Permissions dialog box 

share directory, 4-6 
Educate users, 1-16 
Enter Password dialog box 

console version log off, B-6 
Entry Level LAN Manager 

logon security, 10-2 
Error Log menu item 

look at server's error log, 12-6 
Error Log Record dialog box 

look at server's error log, 12-6 
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Error message 

get more information, 1-23 
erroralert=, 12-4 
Escape codes, 5-10 
EXIT command 

end network administration session, 11-10 
Exit menu item 

console version log off, B-6 

F 

File Access Permissions For dialog box 

examine permission, 8-39 
File permissions menu item 

examine permission, 8-39 
File 

.SEP file, 5-9 

G 

Getting more information, 1-21 
Groupname 
defined, 8-5 

displayed with asterisk, 8-5 
Groups dialog box 

add user account, 8-17 
GROWACC command 

add space for user accounts, 8-21 
GROWACC utility, A-4 

H 

Help 

HELPMSG command, 1-23 

NET HELP command, 1-22 

on-line help, 1-22 
HELPMSG command, 1-23 
Home directory 

for new user, 8-19, 8-20, 8-25 
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I 

IPC resource 

permission, 8-11 

define security mode as user-level, 8-12 
IPC$ resource 
defined, 3-6 

must share to share programs, 7-6 

necessary to administrate network server, 11-2 

share, 3-10, 9-7 

L 

LAN group 

logon security, 10-3 

LAN Manager screen 

advantages of using, 1-17 
log on, 2-6 

LAN Manager screen, console version 
purpose, B-7 

LANMAN.INI file, 2-4, 5-4, 8-12 

define number of shared programs allowed, 7-5 

modify for share-level security, 9-5 

modify to add shared program, 7-7 

modify to define run path, 7-4 

modify to start service automatically, 2-4 

set up central server for centralized logon, 10-8 

set up netstation for centralized logon security, 10-13 

set up netstations for distributed logon security, 10-17 

set up other servers for centralized logon, 10-11 

set up servers for distributed logon, 10-14 

specify spooled directory, 5-4 

turn auditing on or off, 12-7 

Local device 
defined, 3-2 

Local versus network device, 3-2 



lndex-8 



Log off 

Config menu, 2-8 

console version, B-6 

to ensure security, 2-7 
Logon 

change password, 2-8 

console version, B-6 

LAN Manager Screen, 2-6 

NET LOGON command, 2-5 
Log on to the Local Area Network dialog box 

log on, 2-6 
Logoff menu item 

log off, 2-8 
Log-on security 

centralized, 10-2 

centralized, set up central server, 10-8 

centralized, set up netstation, 10-12 

centralized, set up other servers, 10-11 

checklist, 10-5 

defined, 1-9, 10-1 

distributed, 10-3, 10-14 

Entry Level LAN Manager, 10-2 

LAN group, 10-3 

maintain, 10-7 

script, 10-19 

script, use, 10-20, 10-21 

Server must run user-level security, 10-6 

setting up, 10-5 
Logon validation 

defined, 8-1 
logonalert=, 12-4 
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M 

Maintain local area network, 1-15 
MAKEACC utility, A-2 
Message 

send from console, B-15 
Message menu 

functions, 1-21 
MS-Net 

user name, 8-4 



N 

NET command 

start user's version of LAN Manager, 1-19 
NET ACCESS command 

non-administrative use of, 8-46 
NET ADMIN command 

monitor more than one server, 11-5, 11-6 

run command through the network, 11-8 

start administrator's version of LAN Manager, 1-19 

start network administration session, 11-3 
NET COMM command 

change communication device queue option, 6-13 

check communication device queue status, 6-8 

remove requests from communication device queue, 6-11 
NET CONSOLE command 

console version log on, B-6 

start console version of LAN Manager, 1-20 
NET CONTINUE command 

continue service, 2-11 

continue specific printer, 3-15 
NET COPY command 

copy shared program, 7-2 
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NET DEVICE command 

check communication device queue status, 6-8 

delete print request, 5-19 

list print requests for printer, 5-18 

restart printing, 5-19 
NET GROUP command 

add group account, 8-34 

add member to group, 8-36 

remove group account, 8-38 

remove group member, 8-37 
NET HELP command, 1-22 
NET LOGOFF command 

don't use inside a script, 10-21 
NET LOGON command 

log on, 2-5 
NET PASSWORD command 

change password, 2-10, 8-28 
NET PAUSE command 

pause service, 2-11 

pause specific printer, 3-15 
NET PRINT command 

change printer queue option, 5-25 

change printer queue status, 5-21 

list print requests for server, 5-18 

printer queue priority option, 5-8 

printer queue processor option, 5-9 

printer queue scheduling option, 5-8 
NET RUN command 

run shared program, 7-3, 7-4 
NET SHARE command 

change communication device queue option, 6-13 

change resource password, 9-13 

change resource permission, 9-13 

check resource permission, 9-10 

create printer queue, 5- 14 

printer queue device option, 5-5, 5-6 

share communication device queue, 6-5 
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NET SHARE command (continued) 

share directory, 4-8 

share printer queue, 5-14 

stop snaring communication device queue, 6-15 

stop sharing directory, 4-10 

stop sharing printer queue, 5-28 

stop sharing resource, 3-17 
NET START command 

start service, 2-2 
NET START SERVER command 

turn auditing on or off, 12-7 
NET STOP command 

stop a service, 2-13 
NET USER command 

add user account, 8-24 

disable account, 8-26 

remove user account, 8-31 
netioalert=, 12-4 
Netlogon service 

needed to validate logon request, 10-6 

pause, 2-11 

start automatically for centralized logon security, 10-8 
stop, 2-12 
Netrun service 
stop, 2-12 

used to share programs, 7-5 
Netstation 

defined, 1-4 
Network Audit Trail dialog box 

display audit trail, 12-8 
Network device 

defined, 3-2 
Network path 

defined, 1-8, 4-2 
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Network server administration 
defined, 11-1 

end network administration session, 11-10 
monitor more than one server, 11-4 
responsibility of administrator, 1-15 
run command through the network, 11-8 
start network administration session, 11-2 



o 

On-line help, 1-22 

Opened Files on This Server dialog box 
close file, 12-12 

Other server menu item 

end network administration session, 11-10 
monitor more than one server, 11-5 
start network administration session, 11-2 



P 

Password 

change, 2-8, 8-27 

change logon password from console, B-16 
check resource password, 9-8 
Config menu, 2-9 
defined, 8-4 

for new user, 8-19, 8-24 

NET PASSWORD command, 2-10 

not placed in START.BAT file, 3-17 

resource, change, 9-11 

to terminate console version, B-6 
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Pause 

defined, 2-10 

NET PAUSE command, 2-11 

printer queue, 3-13 

service, 2-10, 2-11 

shared resource, 3-13 

specific printer, 3-14 
PC-LAN 

user name, 8-4 
Permission 

access resource, 8-7 

assign default, 8-48 

assign inherited, 8-48 

change, 8-41, 8-52 

changing as a user, 8-46 

check resource permission, 9-8 

communication device queue, 8-11 

defined, 1-9, 8-7 

disk resource, 8-9 

examine, 8-39 

granting, 8-7 

how LAN Manager determines access, 8-7 
IPC resource, 8-11 

non-administrative use of the NET ACCESS command, 8-46 
printer queue, 8-11 
resource, change, 9-11 
share-level security, 9-3 
share-level versus user-level, 9-3 
shared resource, 2-5 
types for different resources, 8-8 
users setting their own permissions, 8-7 
using the P permission, 8-46 
Plan a local area network 
demand on devices, 1-12 
resources needed by each user, 1-10 
security, 1-11 
servers needed, 1-11 
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Print Queue menu item 

change printer queue status, 5-19 

control print request, 5-16 

list print requests, 5-16 
Print Queues for (Server) dialog box 

change printer queue option, 5-22 

change printer queue status, 5-20 

control print request, 5-16 

list print requests, 5-16 
Print request 

change position in queue from console, B-14 

change status from console, B-l 1 

control, 5-15 

delete, 5-17 

get more information from console, B-l 2 
hold, 5-17 
list, 5-15 

move to front of queue, 5-17 

release held request, 5-17 

restart, 5-17, 5-19 
Printer Queue menu item 

change printer queue option, 5-22 
Printer queue 

change option, 5-22 

change status, 5-19 

change status from console, B-l 1 

continue, 3-14 

control request, 5-15 

create, 5-11 

device name option, 5-5 
list from console, B-9 
list requests, 5-15 
options, 5-4 
pause, 3-13 
permission, 8-11 
print processor option, 5-8 
priority option, 5-7 
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Printer queue (continued) 

scheduling option, 5-8 

separator page option, 5-9 

serve single printer, 5-5 

serve two or more printers, 5-6 

share, 5-11 

stop sharing, 5-27 

two or more for one printer, 5-7 

view options from console, B-9 
Printer 

estimate demand for, 1-12 

maintain, 1-13 
Printing Options for Queue dialog box 

change printer queue option, 5-22 
Privilege 

defined, 1-9 
Privilege level 

admin not recognized under share-level security, 9-4 

for new user, 8-20, 8-25 
Profile script 

create, 10-23 



Q 

Queue 

defined, 3-4 



R 

Resource 

ADMIN$ resource, 3-6 

change status from console, B-17 

check status from console, B-17 

defined, 1-4, 3-3 

IPCS resource, 3-6 

permission, 8-7 

share, 3-9 
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Resource (continued) 

share with unattended server, B-5 

stop sharing, 3-16 

types, 3-3 
Resource security 

defined, 8-1 
Resources This Server Is Sharing dialog box 

list shared resources, 3-7 

pause printer queue, 3-13 

share resource, 3-9 

stop sharing resource, 3-16 
Resources This Server Is Sharing With the Network dialog box 

change communication device queue option, 6-12 

change resource password or permission, 9-11 

check resource password and permission, 9-8 

create communication device queue, 6-3 

create printer queue, 5-11 

share communication device queue, 6-3 

share directory, 4-5 

share printer queue, 5-11 

stop snaring communication device queue, 6-14 

stop sharing directory, 4-9 
Run path 

defined for shared program, 7-4 



s 

Script 

creating, 10-21 
defined, 10-19 
managing, 10-19 
two ways to use, 10-19 
use, 10-20 
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Security 

check level on screen, 8-2 
CONFIG.SYS file, B-3 

difference between share-level and user-level, 2-5 
log off, 2-7 

log-on security, defined, 1-9 
one mode for each server, 8-2 
overview, 1-14 
password, 2-5 
plan, 1-11 

resource security, two types, 1-9 

responsibility of administrator, 1-14 

share-level, 2-5 

shared disk, 4-4 

two ways to control access, 8-1 

unattended server, B-2, B-3 

user-level, 2-5 

username, 2-5 
Security for DOS Netstations, 1-15 
.SEP file 

define separator page, 5-9 
Separator page 

defined, 5-9 

escape codes, 5-10 
Server 

administer through the network, 11-1 

continue, 2-10 

defined, 1-4, 1-6, 2-1 

list, 1-6 

pause, 2-10 

start, 2-2 

start automatically, 2-3 

stop, 2-12 
Server operation 

monitoring and troubleshooting problems, 12-2 
Server options menu item 

stop a service, 2-13 
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Server service 

defined, 2-2 

pause, 2-10 

stop, 2-12 
Server statistics 

look at, 12-5 
Server Statistics Information dialog box 

look at server statistics, 12-5 
Session 

close, 12-10 

display information about, 12-9 
Session Information dialog box 

display Server session information, 12-10 
Set Exit Password dialog box 

console version log on, B-6 
Set Server Configuration dialog box 

stop a service, 2-13 
Share a Device Resource With the Network dialog box 

create communication device queue, 6-3 

share communication device queue, 6-3 
Share a Disk Resource With the Network dialog box 

share directory, 4-5 
Share a Print Queue With the Network dialog box 

create printer queue, 5-12 

share printer queue, 5-12 
Share-level security 

access flowchart, 9-2 

checklist, 9-5 

defined, 1-9 

different from user-level, 8-2 
password verifies permission, 2-5 
permission, 9-3 
setting up, 9-5 
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Share resource automatically 

NET SHARE command, 3-17 

NET START server command, 3-17 

profile files, 3-17 

STARTUP.CMD file, 3-17 
Share resource 

defined, 1-4 
Shared communication device, 3-4 
Shared directory, 3-4 

back up, 4-5 

maintain disk, 4-4 

organize disk, 4-3 

sharename, 4-4 

two ways to use, 4-2 

warning, 4-4 
Shared printer, 3-4 

automatic print notification, 5-3 
Shared program 

add, 7-7 

define run path for, 7-4 
maintain, 7-6 
removing, 7-7 
three ways to use, 7-2 
Shared resource 
access, 2-5 

change password and permission, 9-11 

list, 3-7 

password, 2-5 

password, check, 9-8 

password permission, 9-6 

pause, 3-13 

permission, 2-5 

permission, check, 9-8 

share, 3-9 

share ADMIN$ resource, 3-10 
share IPC$ resource, 3-10 
sharename, 3-2 
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Shared resource (continued) 

stop sharing, 2-12, 3-16 
Shared Resource Information dialog box 

change communication device queue option, 6-12 

check resource password and permission, 9-9 
Sharename 

defined, 1-8, 3-2 

example, 3-3 

reserved for special resource, 3-6 
Show Comm Queues For dialog box 

check communication device queue status, 6-7 
Show Communication device Queues dialog box 

remove requests from communication device queue, 6-10 
Show Print Queues for dialog box 

change printer queue option, 5-22 

change printer queue status, 5-19 

control print request, 5-16 

list print requests, 5-16 
Skills an administrator needs, 1-10 
Start service, 2-2 
Start service Automatically, 2-3 

LANMAN.INI file, 2-4 
START.BAT file 

no passwords in, 3-17 
STARTUP.CMD file 

share resource automatically, 3- 17 

start service automatically, 2-3 
Status menu 

function, 1-21 

look at server's error log, 12-6 
pause specific printer, 3-14 
Stop 

Netlogon service, 2-12 
Netrun service, 2-12 
Server service, 2-12 
sharing directory, 4-9 
sharing resource, 2-12, 3-16 
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Stop a service 

Config menu, 2-13 
defined, 2-12 

NET STOP command, 2-13 
Stop Sharing a Network Resource dialog box 
change resource password or permission, 9-11 
stop sharing directory, 4-9 
stop sharing printer queue, 5-27 



This Server menu item 

change communication device queue option, 6-12 

change resource password or permission, 9-11 

check resource password and permission, 9-8 

continue printer queue, 3-14 

create printer queue, 5-11 

list shared resources, 3-7 

pause printer queue, 3-13 

share directory, 4-5 

share printer queue, 5-11 

share resource, 3-9 

stop sharing communication device queue, 6-14 
stop sharing directory, 4-9 
stop sharing printer queue, 5-27 
stop sharing resource, 3-16 
Two ways to use LAN Manager, 1-17 



Unattended server 
menu, B-8 
security, B-2 
set up, B-2 

share resource with, B-5 
start, B-4 

user information, B-7 
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User-level security 
access flowchart, 8-3 
checklist, 8-12 
create user accounts, 8-14 
define access permission, 8-15 
defined, 1-9 

different from share-level, 8-2 

for shared programs, 7-7 

group account, add, 8-32 

group account, remove group, 8-37 

group account, remove member, 8-36 

maintain, 8-15 

necessary files, 8-13 

necessary for logon validation, 10-6 

password and username verify permission, 2-5 

password, change, 8-27 

permission, assign default, 8-48 

permission, assign inherited, 8-48 

permission, change, 8-41, 8-52 

permission, changing as a user, 8-46 

permission, examine, 8-39 

set up logon security, 8-14 

user account, 8-4 

user account, add, 8-16 

user account, add space for, 8-21 

user account, disable, 8-26 

user account, remove, 8-29 
Username, 2-5 

defined, 1-8, 8-4 

for new user, 8-19, 8-24 
Users 

groups 

menu item 

add user account, 8-17 
Users/Groups dialog box 

change password, 8-27 

enable logon validation for account, 10-15 
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Users/groups menu item 

change password, 8-27 

enable logon validation for account, 10-15 
Utility 

AT A-2 

CokpACT, A-2 
GROWACC, A-4 
MAKEACC, A-2 



V 

View menu 

change communication device queue option, 6-12 

change printer queue option, 5-22 

change printer queue status, 5- 19 

change resource password or permission, 9-11 

check communication device queue status, 6-7 

check resource password and permission, 9-8 

console version log off, B-6 

control print request, 5-16 

continue printer queue, 3-14 

create printer queue, 5-11 

end network administration session, 11-10 

function, 1-21 

list print requests, 5-16 

list shared resources, 3-7 

monitor more than one server, 11-5 

pause connection to all printer queues, 3-13 

share directory, 4-5 

share printer queue, 5-11 

share resource, 3-9 

start network administration session, 11-2 
stop sharing communication device queue, 6-14 
stop sharing directory, 4-9 
stop sharing printer queue, 5-27 
stop sharing resource, 3-16 
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What would you like to share? dialog box 

change resource password or permission, 9-11 

create communication device queue, 6-3 

create printer queue, 5-11 

share communication device queue, 6-3 

share printer queue, 5-11 
Workstation service 

defined, 2-1 

pause, 2-10 
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